Description
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the pending-install window.. Mattermost Advisory ID: MMSA-2026-00654
Published: 2026-06-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Mattermost Jira plugin versions 11.7.x up to 11.7.0, 11.6.x up to 11.6.2, 11.5.x up to 11.5.5, and 10.11.x up to 10.11.17. It allows a remote attacker to send a POST request to the /ac/installed endpoint during the pending‑install window without proper authentication, enabling the attacker to inject a rogue sharedSecret. This manipulation can corrupt the Jira integration configuration, potentially preventing legitimate Jira connections or exposing sensitive integration data. The flaw is identified as missing authentication for a sensitive operation (CWE‑306).

Affected Systems

The affected product is the Mattermost Jira plugin. Mattermost versions 10.11.0 through 10.11.17, 11.5.0 through 11.5.5, 11.6.0 through 11.6.2, and all 11.7.x versions up to 11.7.0 are impacted. The vulnerability also applies to earlier 11.6.x before 11.6.3, 11.5.x before 11.5.6, and 10.11.x before 10.11.18.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. Because EPSS data is not available, the exact probability of exploitation cannot be quantified, and the flaw is not listed in the CISA KEV catalog. The flaw permits unauthenticated remote attackers to POST to /ac/installed while a Jira integration is pending installation, thereby injecting a rogue sharedSecret and disrupting the integration. As the callback lacks authentication, exploitation requires only access to the Mattermost instance and no additional credentials.

Generated by OpenCVE AI on June 22, 2026 at 14:35 UTC.

Remediation

Vendor Solution

Update Mattermost to versions 11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or higher.


OpenCVE Recommended Actions

  • Upgrade Mattermost to a fixed version (11.8.0, 11.7.1, 11.6.3, 11.5.6, 10.11.18 or later).
  • If upgrading is not immediately possible, disable or remove the Jira plugin until the update is applied to prevent exploitation during the pending‑install period.
  • Audit any pending Atlassian Connect installations and clear pending states to eliminate exposure to the unauthenticated callback.

Generated by OpenCVE AI on June 22, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the pending-install window.. Mattermost Advisory ID: MMSA-2026-00654
Title Mattermost Jira plugin had unauthenticated {{/ac/installed}} lifecycle callback during pending Jira Cloud install
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H'}


Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-06-22T15:41:08.511Z

Reserved: 2026-04-20T13:45:33.430Z

Link: CVE-2026-6673

cve-icon Vulnrichment

Updated: 2026-06-22T15:41:01.960Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T15:45:03Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function