CVE-2026-22892 in Mattermost
Summary
by MITRE • 02/13/2026
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to via the /create-issue API endpoint by providing the post ID of an inaccessible post.. Mattermost Advisory ID: MMSA-2025-00550
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/20/2026
This vulnerability exists in Mattermost versions 11.1.x through 11.1.2, 10.11.x through 10.11.9, and 11.2.x through 11.2.1 where the Jira plugin fails to properly validate user permissions when creating Jira issues from Mattermost posts. The flaw specifically affects the /create-issue API endpoint which allows authenticated attackers with access to the Jira plugin to bypass normal channel access controls. When an attacker provides a post ID from a channel they do not have access to, the system incorrectly processes the request and exposes the post content and attachments to unauthorized users. This represents a critical authorization bypass vulnerability that violates fundamental security principles of least privilege and access control enforcement. The vulnerability stems from inadequate input validation and permission checking mechanisms within the plugin's API implementation, allowing malicious actors to leverage their legitimate plugin access to gain unauthorized access to restricted information.
The technical flaw manifests as a missing authorization check in the Jira plugin's create-issue functionality. When processing requests through the /create-issue endpoint, the system should verify that the authenticated user has appropriate permissions to access the specified post and its associated attachments before allowing the creation of a Jira issue. However, the implementation fails to perform this validation, enabling attackers to specify any valid post ID regardless of their channel membership status. This vulnerability is classified as a CWE-285: Improper Authorization, which specifically addresses situations where an application fails to properly enforce access controls for operations that require elevated privileges or specific authorization levels. The flaw essentially allows attackers to perform information disclosure through a privileged API endpoint that should enforce strict access controls.
The operational impact of this vulnerability is significant as it enables authenticated attackers to access sensitive information that they should not be able to view. An attacker with access to the Jira plugin can potentially expose confidential discussions, attachments, and content from channels they do not have legitimate access to. This creates a substantial risk for organizations that rely on Mattermost for secure communication and collaboration, particularly in environments where sensitive data is shared across different security zones or teams. The vulnerability can be exploited through simple API requests, making it relatively easy to abuse and potentially leading to data breaches or information leakage that could compromise business operations, intellectual property, or compliance requirements. The exposure of attachments and post content through this unauthorized access mechanism creates a direct pathway for attackers to gather intelligence or sensitive information from restricted channels.
Organizations should immediately update to the patched versions of Mattermost to remediate this vulnerability. The recommended mitigation includes applying the vendor-provided security patches that implement proper permission validation for the Jira plugin's create-issue functionality. System administrators should also review and audit existing Jira plugin access permissions to ensure that only authorized users have access to this functionality. Monitoring for suspicious API usage patterns and implementing additional logging around the /create-issue endpoint can help detect potential exploitation attempts. From a defensive perspective, this vulnerability aligns with ATT&CK technique T1566.002: Phishing via Service, where attackers might leverage legitimate plugin access to gain unauthorized information access. Organizations should also consider implementing network segmentation and API access controls to limit the potential impact of such vulnerabilities. The security controls should focus on enforcing proper access control mechanisms at the application layer, ensuring that all API endpoints validate user permissions before processing sensitive operations. Regular security assessments and penetration testing should be conducted to identify similar authorization bypass issues in other plugins or application components.