Skip to main content
Skip table of contents

SA-2026-06-01

Summary

This is a Security Advisory about about the following vulnerability in S/Notify for Confluence.

IDOR based vulnerability in S/Notify user PGP key upload

CVE-ID: (requested โ€“ will be updated)

We would like to inform our clients about an IDOR (Insecure Direct Object Reference) based vulnerability that has been found in the user profile configuration of S/Notify for Confluence 4.2.0.

You would be affected when all of the following conditions apply

  • you use Confluence 10.x

  • and you use S/Notify for Confluence 4.2.0

  • and you have configured S/Notify to allow users to upload their own keys

  • and you have configured S/Notify with PGP only or PGP prefererred

In this case, we recommend that you update S/Notify as soon as possible

For further clarity, this vulnerability does not apply to any of these cases:

  • you use S/Notify for Jira or Bitbucket ๐Ÿ‘

  • you use Confluence in a version before 10.0 ๐Ÿ‘

  • you do not use S/Notify for Confluence in version 4.2.0

  • you use S/MIME only ๐Ÿ‘

  • you do not allow users to upload keys ๐Ÿ‘

Description

While an authenticated user is logged on, the user can upload a specifically crafted PGP key to another userโ€™s profile by manipulating the POST request parameters.

Therefore, if an attacker has access to valid Confluence credentials, the vulnerability allows to upload a PGP key to another userโ€™s profile. The PGP key must be specifically crafted to match the other userโ€™s email address. The key would from then on be used to encrypt emails to the other user.

Background

Insecure Direct Object Reference (IDOR) allows access to objects which do not belong to the authenticated user. It is caused by an implementation bug, which has been introduced inadvertently with the changes for Confluence 10 in the latest release 4.2.0 of S/Notify for Confluence. Previous releases are not affected.

Business Impact

Uploading the PGP key to the user profile means that this user will from then on receive emails encrypted with another key, so the user would not be able to decrypt and read the emails. Therefore, this attack would not go unnoticed for long.

In order to read or fake the emails, the attacker would need to have be able to intercept the email transport at some other point, which means that this vulnerablity alone does not lead to information leaks.

Assessment

We have calculated a preliminary CVSS 5.1 (medium) rating in the Common Vulnerability Scoring System.

This vulnerability has been found in a penetration test by a security researcher. We have no reports or other indication of it being actively exploited.

Action

Affected versions

Only version 4.2.0 of S/Notify for Confluence is affected.

Temporary Mitigation

Disallow user uploads.

Permanent Fix

Download and install our fix release

  • S/Notify for Confluence 4.2.1

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close