CVE-2026-6673 in Mattermost
Summary
by MITRE • 06/22/2026
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the pending-install window.. Mattermost Advisory ID: MMSA-2026-00654
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/22/2026
This vulnerability affects Mattermost server versions prior to specific patch releases, creating a critical authentication bypass in the Atlassian Connect integration process. The flaw occurs during the pending-install window when Mattermost fails to properly validate incoming callback requests from Atlassian applications, particularly Jira. Attackers can exploit this weakness by sending malicious POST requests to the /ac/installed endpoint without requiring authentication credentials, enabling them to manipulate the integration flow and potentially disrupt legitimate Jira workflows.
The technical implementation of this vulnerability stems from insufficient input validation within Mattermost's Atlassian Connect callback handling mechanism. When a Jira application attempts to install an integration with Mattermost, the system enters a pending state where it awaits confirmation from the Atlassian platform. During this window, Mattermost should verify the authenticity of incoming installation callbacks but instead accepts requests without proper authentication checks. This allows unauthenticated attackers to inject forged sharedSecret parameters, effectively compromising the integrity of the integration process and potentially gaining unauthorized access to the Mattermost environment through manipulated Jira integrations.
The operational impact of this vulnerability extends beyond simple disruption as it creates a potential attack vector for broader system compromise. An attacker could leverage this flaw to inject malicious code or manipulate integration settings, potentially leading to data exfiltration or unauthorized access to Mattermost's communication channels. The disruption occurs specifically during the installation phase when Jira attempts to establish connectivity with Mattermost, making it particularly dangerous as it targets the initial setup process where administrators might be less vigilant about monitoring such activities. This vulnerability aligns with CWE-287 which addresses improper authentication issues and represents a significant weakness in Mattermost's access control mechanisms.
Organizations using affected Mattermost versions should immediately implement mitigations including updating to patched releases, implementing network-level restrictions on the /ac/installed endpoint, and monitoring for unauthorized installation attempts. The recommended approach involves applying the latest security patches provided by Mattermost while also configuring proper firewall rules to limit access to sensitive endpoints. Additionally, administrators should conduct thorough audit reviews of existing Jira integrations and implement network segmentation to isolate critical communication channels. This vulnerability demonstrates the importance of proper authentication mechanisms in third-party integration flows and emphasizes the need for robust input validation across all API endpoints that handle external callbacks. The ATT&CK framework categorizes this as a privilege escalation technique through unauthenticated access to administrative functions, highlighting the severity of the potential impact on organizational security posture.