Primary

Context

Mattermost Jira Plugin Authentication Bypass Vulnerability Allowing Unauthenticated Issue Key Injection

Vulnerability

Patched

A vulnerability exists in Mattermost versions 11.1.0, 11.0.5, 10.12.3, and 10.11.7 with the Jira plugin enabled. The issue arises in Jira plugin versions through 4.4.0, where authentication and issue-key path restrictions are not properly enforced. This flaw allows an unauthenticated attacker who knows a valid user ID to send authenticated GET and POST requests to the Jira server. Exploitation involves crafting plugin payloads that spoof the user ID and inject arbitrary issue key paths.

Impact

Successful exploitation allows for unauthorized injection of issue key paths, potentially leading to manipulation of Jira issues on behalf of the spoofed user.

Remediation

Users can upgrade to Mattermost versions 11.2.0, 11.1.8, 11.0.6, or 10.12.4, where this vulnerability has been addressed.

Added: Dec 22, 2025, 12:17 PM

Updated: Dec 22, 2025, 12:17 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

7.4

remediation

8.3

relevance

1.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

7.4

remediation

8.3

relevance

1.6

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Jira Plugin Authentication Bypass Vulnerability Allowing Unauthenticated Issue Key Injection

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating