PT-2026-7985 · Atlassian+1 · Jira+1

Juho Forsén

Published

2026-02-13

Updated

2026-03-03

CVE-2026-22892

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.x through 10.11.9 Mattermost versions 11.1.x through 11.1.2 Mattermost versions 11.2.x through 11.2.1

Description The software does not properly validate user permissions when creating Jira issues from Mattermost posts. This allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they should not have access to. The issue occurs when using the /create-issue API endpoint and providing the post ID of an inaccessible post. The vulnerable parameter is the post ID.

Recommendations Update Mattermost to a version later than 10.11.9. Update Mattermost to a version later than 11.1.2. Update Mattermost to a version later than 11.2.1.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2026-22892

GHSA-9PJ7-JH2R-87G8

GO-2026-4496

SUSE-SU-2026:0757-1

Affected Products

Jira

Mattermost

PT-2026-7985 · Atlassian+1 · Jira+1

CVE-2026-22892

Weakness Enumeration

Related Identifiers

Affected Products

References · 120