Impact
The vulnerability exists in Mattermost Jira plugin versions 11.7.x up to 11.7.0, 11.6.x up to 11.6.2, 11.5.x up to 11.5.5, and 10.11.x up to 10.11.17. It allows a remote attacker to send a POST request to the /ac/installed endpoint during the pending‑install window without proper authentication, enabling the attacker to inject a rogue sharedSecret. This manipulation can corrupt the Jira integration configuration, potentially preventing legitimate Jira connections or exposing sensitive integration data. The flaw is identified as missing authentication for a sensitive operation (CWE‑306).
Affected Systems
The affected product is the Mattermost Jira plugin. Mattermost versions 10.11.0 through 10.11.17, 11.5.0 through 11.5.5, 11.6.0 through 11.6.2, and all 11.7.x versions up to 11.7.0 are impacted. The vulnerability also applies to earlier 11.6.x before 11.6.3, 11.5.x before 11.5.6, and 10.11.x before 10.11.18.
Risk and Exploitability
The CVSS score of 6.4 indicates moderate severity. Because EPSS data is not available, the exact probability of exploitation cannot be quantified, and the flaw is not listed in the CISA KEV catalog. The flaw permits unauthenticated remote attackers to POST to /ac/installed while a Jira integration is pending installation, thereby injecting a rogue sharedSecret and disrupting the integration. As the callback lacks authentication, exploitation requires only access to the Mattermost instance and no additional credentials.
OpenCVE Enrichment