EUVD-2026-38249
GHSA-jqgv-39mg-7c2r
Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H
AV:N and AC:H reflect network-reachable but timing-dependent exploitation; PR:N chosen because description explicitly states unauthenticated attacker, overriding vendor PR:L pending clarification; UI:R retained as admin must initiate install.
Primary rating from Vendor (Mattermost).
CVSS VectorVendor: Mattermost
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the pending-install window.. Mattermost Advisory ID: MMSA-2026-00654
AnalysisAI
Missing authentication on the Atlassian Connect install callback in Mattermost allows a remote attacker to inject a rogue sharedSecret into an in-progress Jira integration setup. Affected versions span the 10.11.x, 11.5.x, 11.6.x, and 11.7.x release trains, all of which expose the POST /ac/installed endpoint without validating the caller's identity during the pending-install window. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target Mattermost instance to have the Atlassian Connect Jira integration feature present and for a privileged user (admin) to have recently initiated a Jira app installation - this is the 'pending-install window' that exposes the /ac/installed endpoint to unauthenticated writes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS base score of 6.4 (Medium) reflects several mitigating complexity signals: AC:H acknowledges that exploitation must be timed to the pending-install window - a brief period when the endpoint is vulnerable - and UI:R implies that a legitimate user (likely an admin) must be actively initiating the Jira app installation to open that window. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who is monitoring network traffic or has knowledge of an ongoing Mattermost-Jira integration setup sends a crafted POST request to the target's /ac/installed endpoint immediately after an admin clicks to install the Jira integration - exploiting the brief period before the legitimate Atlassian callback arrives. The malicious payload supplies an attacker-controlled sharedSecret, which Mattermost stores without validation, replacing the legitimate trust credential. … |
| Remediation | The primary remediation is to upgrade to a patched Mattermost release as published in the vendor advisory at https://mattermost.com/security-updates (MMSA-2026-00654). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Subscription hijacking in Mattermost allows authenticated low-privileged users to take control of subscriptions belongin
The /gitlab connect slash command in Mattermost fails to enforce administrator-level authorization on the setDefaultInst
WebSocket session persistence in Mattermost allows authenticated users whose sessions have been globally revoked to bypa
{id}/active endpoint despite lacking the Integrations permission required to manage bots. The server fails to apply bot-
Incorrect authorization in Mattermost's demote-user API allows a lower-privileged administrator to degrade arbitrary bot
Share
External POC / Exploit Code
Leaving vuln.today