Skip to main content

Secure Login 2FA EUVD-2026-37066

| CVE-2026-12225 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-16 SEC-VLab GHSA-xfw8-8p99-43jw
Atlassian Authentication Bypass Secure Login 2Fa For Jira Secure Login 2Fa For Confluence Secure Login 2Fa For Bitbucket
8.7
CVSS 4.0 · Vendor: SEC-VLab
Share

Severity by source

Vendor (SEC-VLab) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable HTTP, trivial header injection (AC:L), requires one valid low-priv credential (PR:L), no user interaction; bypassing 2FA on the app yields full C/I/A on the Atlassian instance.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (SEC-VLab).

CVSS VectorVendor: SEC-VLab

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 16, 2026 - 13:01 EUVD
Analysis Generated
Jun 16, 2026 - 11:51 vuln.today
CVE Published
Jun 16, 2026 - 11:20 cve.org
HIGH 8.7

DescriptionCVE.org

syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containing specific strings such as AtlassianMobileApp or JIRA. When such a User-Agent is present, the plugin does not enforce the configured 2FA checks for protected web resources. Successful exploitation allows the attacker to access the affected Atlassian application as the compromised user without completing 2FA. If the compromised account has administrative privileges, the attacker can access administrative functionality and may disable the 2FA plugin or make arbitrary administrative changes. The issue is fixed in version 3.5.0.0.

AnalysisAI

Two-factor authentication bypass in syracom AG Secure Login (2FA) plugin 3.4.0.x for Atlassian Jira, Confluence, and Bitbucket allows an attacker holding valid first-factor credentials to skip the 2FA challenge entirely by injecting strings like 'AtlassianMobileApp' or 'JIRA' into the HTTP User-Agent header. The plugin treats such requests as mobile-app traffic and waives 2FA enforcement on protected web resources, effectively neutralizing the security control the plugin exists to provide. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid credentials via phishing or stuffing
Delivery
Send login request with User-Agent: AtlassianMobileApp
Exploit
Plugin skips 2FA enforcement filter
Execution
Receive authenticated session cookie
Persist
Access user or admin web UI
Impact
Disable plugin or alter admin settings
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires (1) valid first-factor credentials (username and password) for any account on the targeted Jira, Confluence, or Bitbucket instance that has the Secure Login plugin at exactly version 3.4.0.x installed and 2FA enforcement enabled, and (2) the ability to send HTTP requests to the application with an attacker-chosen User-Agent header containing the literal substring 'AtlassianMobileApp' or 'JIRA'. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H (score 8.7) accurately reflects a network-reachable, low-complexity bypass requiring only one set of valid credentials and no user interaction, with full CIA impact on the Atlassian instance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker phishes or credential-stuffs a valid Jira account belonging to a system administrator. They send a normal POST to the login endpoint with the stolen username and password, but set 'User-Agent: AtlassianMobileApp/1.0'; the plugin recognizes the mobile substring and skips the TOTP prompt, returning a fully authenticated session cookie. …
Remediation Vendor-released patch: upgrade the Secure Login (2FA) plugin to version 3.5.0.0 or later in each affected Atlassian application, per the syracom advisory at https://syracom-bee.atlassian.net/wiki/spaces/SL/pages/4193255427/2026-05-11+-+Secure+Login+security+advisory+-+Broken+Access+Control. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all instances of syracom AG Secure Login plugin version 3.4.0.x across Jira, Confluence, and Bitbucket; inventory affected users and systems; issue incident communication. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37066 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy