Primary

Context

Mattermost Jira Plugin User Permission Vulnerability Allowing Unauthorized Access to Channel Posts

Vulnerability

Patched

A vulnerability exists in the Mattermost Jira plugin, specifically in versions 11.1.x through 11.1.2, 10.11.x through 10.11.9, and 11.2.x through 11.2.1. The issue arises because the plugin fails to properly validate user permissions when creating Jira issues from Mattermost posts. This flaw enables an authenticated attacker with access to the Jira plugin to use the '/create-issue' API endpoint to read content and attachments from posts in channels they do not have access to, by referencing the post ID of an inaccessible post.

Impact

Exploitation of this vulnerability allows for unauthorized access to channel posts and attachments, bypassing normal permission restrictions.

Remediation

Users can upgrade to Mattermost versions 11.3.0, 10.11.10, or 11.2.2 to address this vulnerability.

Added: Feb 13, 2026, 11:25 AM

Updated: Feb 13, 2026, 2:55 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

4.8

remediation

7.7

relevance

3.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

4.8

remediation

7.7

relevance

3.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Jira Plugin User Permission Vulnerability Allowing Unauthorized Access to Channel Posts

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating