CVE-2025-54478: Mattermost Confluence Plugin is Missing Authentication for Critical Function

August 11, 2025 (updated August 12, 2025)

Mattermost Confluence Plugin versions < 1.5.0 fail to enforce user authentication of the Mattermost instance, allowing unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint.

References

github.com/advisories/GHSA-qpjq-c5hr-7925
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-54478

Code Behaviors & Features

Detect and mitigate CVE-2025-54478 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →