Description
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to via the /create-issue API endpoint by providing the post ID of an inaccessible post.. Mattermost Advisory ID: MMSA-2025-00550
Published: 2026-02-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized reading of restricted Mattermost post content and attachments via the Jira plugin
Action: Apply Patch
AI Analysis

Impact

Mattermost versions before 11.1.3, 10.11.10, and 11.2.2 incorrectly ignore permission checks while creating Jira issues, enabling an authenticated user who can access the Jira plugin to retrieve the full content and attachments of any post the user otherwise cannot see. This privilege escalation flaw stems from inadequate authorization controls (CWE‑863). The resulting leakage can expose sensitive information to unauthorized personnel or systems.

Affected Systems

Versions of Mattermost Mattermost Server 10.11.x up to 10.11.9, 11.1.x up to 11.1.2, and 11.2.x up to 11.2.1 are impacted. Users running these releases are vulnerable to the confidentiality breach described above.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.3, indicating moderate severity. The EPSS score is < 1%, suggesting a low probability of exploitation in the near term. It does not currently appear in the CISA KEV catalog. Exploitation requires an authenticated attacker with access to the Jira plugin, typically through legitimate plugin use or via compromised credentials. Without such access, the flaw remains unexploitable.

Generated by OpenCVE AI on April 17, 2026 at 19:54 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.3.0, 11.1.3, 10.11.10, 11.2.2 or higher.

OpenCVE Recommended Actions

  • Update Mattermost to version 11.3.0, 11.1.3, 10.11.10, 11.2.2 or newer as per the vendor advisory
  • Restrict Jira plugin permissions so that only authorized roles can invoke the /create-issue endpoint
  • If the plugin is not required for your environment, consider disabling it entirely or restricting its endpoints through network firewalls or application‑level controls

Generated by OpenCVE AI on April 17, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9pj7-jh2r-87g8 Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts
References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Wed, 18 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost mattermost Server
CPEs cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*
Vendors & Products Mattermost mattermost Server

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Fri, 13 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 10:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to via the /create-issue API endpoint by providing the post ID of an inaccessible post.. Mattermost Advisory ID: MMSA-2025-00550
Title Insufficient Authorization in Mattermost Jira Plugin Allows Unauthorized Access to Post Attachments
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Mattermost Mattermost Mattermost Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-02-13T17:03:30.894Z

Reserved: 2026-01-15T11:34:00.188Z

Link: CVE-2026-22892

cve-icon Vulnrichment

Updated: 2026-02-13T17:03:16.680Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-13T11:16:10.693

Modified: 2026-02-18T21:34:16.227

Link: CVE-2026-22892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses