Skip to main content
Skip table of contents

2026-03-09 - Information disclosure in custom template permissions

Status: Remediated on

Nature of the issue

We were informed via our Bugcrowd program of an issue affecting the Elements Spreadsheet for Confluence Cloud app, specifically the Custom template space-level feature.

Under certain conditions, a Confluence user who does not have access to a space’s custom templates UI could still query and view the permission configuration of those custom templates by manipulating a network request. This does not grant the user access to the templates themselves or to any spreadsheet data, but it can reveal which users and groups are allowed to use specific custom templates.

The report was submitted to us responsibly through Bugcrowd, and no malicious use has been reported to date.

Impact

  • The issue allows a logged‑in Confluence user (with access to the site but not to the admin custom templates UI) to:

    • Call an internal Forge resolver with a modified functionKey (getCustomTemplatePermissions instead of getConnectedUser).

    • Receive a response containing the list of users and groups configured in “Custom Template Permissions” for that space’s Elements Spreadsheet custom templates.

  • The issue does not:

    • Allow access to the content of custom templates or spreadsheets.

    • Allow elevation of Confluence or app permissions.

    • Allow changes to permissions or templates.

    • Bypass Confluence space or page permissions.

In other words, this is an information disclosure of permission metadata, not a full broken‑access‑control on template usage or data.

Data and privacy considerations

  • No spreadsheet content, no Confluence page content, and no credentials are exposed by this issue.

  • Only permission metadata (users/groups configured on custom templates) is potentially visible to authenticated Confluence users who already have access to the space.

At this time, we have no indication of malicious exploitation beyond the controlled proof‑of‑concept provided in Bugcrowd.

Our response

We take the confidentiality of any user‑related configuration very seriously. After receiving the report, we:

  1. Acknowledged the issue and rewarded the researcher through our Bugcrowd program.

  2. Fixed the vulnerability in our backend by:

    • Enforcing strict server‑side authorization on the resolver that returns custom template permissions, so only users who are allowed to view those permissions can call it successfully.

    • Ensuring that resolver functions cannot be invoked just by changing the functionKey in a request, by tightening the link between the front‑end module, the Forge extension, and the resolvers that can be called.

  3. Improved our defense in depth by:

    • Hardening our GraphQL / Forge entry points against unexpected or manipulated payloads.

    • Extending automated test coverage around permission‑related resolvers to prevent regressions.

These changes mean that the specific technique described in the Bugcrowd report no longer works: unauthorized users can no longer retrieve “Custom Template Permissions” via modified network requests, and permission checks are consistently enforced on the server side

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close