SummaryUnfiltered Confluence People Directory accessible to all users behind specially designed URLs
Advisory Release Date



Space Privacy

Affected Versions

Space Privacy 3.1.0 and earlier

Fixed VersionSpace Privacy 3.1.1
CVSS ClassificationBase Score 4.3 (Medium)


Accessing the People Directory with a specially designed URL while logged in allowed bypassing the Space Privacy filters – displaying basic profile information (name, email address and avatar) of all registered users.

This vulnerability has been rated as Medium (4.3) according to the scale published under the Common Vulnerability Scoring System (CVSS). Space Privacy 3.1.0 and earlier are affected by this vulnerability.

A customer disclosed the potential for profile data leaks to us after hours on . During  we investigated the issue, patched the URL redirect to account for the vulnerable behavior, and prepared a hotfix release to Atlassian Marketplace. This patch, Space Privacy 3.1.1, has been published on .


Update to the latest Marketplace version: Space Privacy 3.1.1 or newer.

Should you be unable to perform this update, or encounter technical challenges while doing so, please reach out to our support team at

A bug in certain Confluence versions (in particular, 7.4.6 and earlier) can cause parts of theming to not work properly after performing app updates. For more details, please refer to Parts of Linchpin or Confluence not accessible after update in our knowledge base if you're using Linchpin-based theming.

This content was last updated on 04/28/2021.

This content hasn't been updated in a while. That doesn't have to be a problem. Some of our pages live for years without becoming obsolete. Please click this link if you want us to update this page. Old content can be incorrect, misleading or outdated. Please get in contact with us via a form on this page, our live chat or via email with if you are in doubt, have a question, suggestion, or want changes from us.