Description
syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containing specific strings such as AtlassianMobileApp or JIRA. When such a User-Agent is present, the plugin does not enforce the configured 2FA checks for protected web resources. Successful exploitation allows the attacker to access the affected Atlassian application as the compromised user without completing 2FA. If the compromised account has administrative privileges, the attacker can access administrative functionality and may disable the 2FA plugin or make arbitrary administrative changes. The issue is fixed in version 3.5.0.0.
Published: 2026-06-16
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Secure Login (2FA) plugin for Atlassian Jira, Confluence and Bitbucket in versions 3.4.0.x contains a broken access control flaw that allows an attacker who already has valid user credentials to bypass the two‑factor authentication step. By sending HTTP requests with a specially crafted User‑Agent header containing strings like AtlassianMobileApp or JIRA, the plugin skips the configured 2FA checks for protected resources. Successful exploitation gives the attacker full access to the application under the compromised account, and if that account has administrative rights the attacker can perform privileged actions or even disable the 2FA protection itself.

Affected Systems

Affected systems are syracom AG’s Secure Login (2FA) plugin deployments for Atlassian Jira, Confluence and Bitbucket. The vulnerability exists in all 3.4.0.x releases of the plugin. Versions 3.5.0.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, but the EPSS score of less than 1% shows that exploitation is currently not common. The vulnerability is not listed in the CISA KEV catalog. Attackers can reasonably send crafted HTTP requests over the network, so the attack vector is remote. If exploited, the impact could be complete compromise of privileged accounts and the ability to disable security controls. Immediate remediation is recommended.

Generated by OpenCVE AI on June 17, 2026 at 22:37 UTC.

Remediation

Vendor Solution

Upgrade Secure Login (2FA) for Jira, Confluence, and Bitbucket to version 3.5.0.0 or later.


Vendor Workaround

No workaround is required. The vendor provides a fixed version 3.5.0.0, which should be installed immediately.


OpenCVE Recommended Actions

  • Upgrade Secure Login (2FA) plugin to version 3.5.0.0 or later.
  • Restrict or disable the plugin until the upgrade is complete to prevent 2FA bypass.
  • Monitor authentication logs for unusual User‑Agent patterns indicating potential bypass attempts.

Generated by OpenCVE AI on June 17, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Syracom
Syracom secure Login (2fa) For Bitbucket
Syracom secure Login (2fa) For Confluence
Syracom secure Login (2fa) For Jira
Vendors & Products Syracom
Syracom secure Login (2fa) For Bitbucket
Syracom secure Login (2fa) For Confluence
Syracom secure Login (2fa) For Jira

Tue, 16 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containing specific strings such as AtlassianMobileApp or JIRA. When such a User-Agent is present, the plugin does not enforce the configured 2FA checks for protected web resources. Successful exploitation allows the attacker to access the affected Atlassian application as the compromised user without completing 2FA. If the compromised account has administrative privileges, the attacker can access administrative functionality and may disable the 2FA plugin or make arbitrary administrative changes. The issue is fixed in version 3.5.0.0.
Title syracom Secure Login (2FA) for Confluence allows 2FA bypass via spoofed User-Agent
Weaknesses CWE-288
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Syracom Secure Login (2fa) For Bitbucket Secure Login (2fa) For Confluence Secure Login (2fa) For Jira
cve-icon MITRE

Status: PUBLISHED

Assigner: SEC-VLab

Published:

Updated: 2026-06-21T07:37:23.996Z

Reserved: 2026-06-14T15:35:21.997Z

Link: CVE-2026-12225

cve-icon Vulnrichment

Updated: 2026-06-21T07:37:23.996Z

cve-icon NVD

Status : Deferred

Published: 2026-06-16T12:16:26.097

Modified: 2026-06-16T15:36:43.610

Link: CVE-2026-12225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:05:13Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel