CVE-2026-22892
MEDIUMMattermost 10.11.0-10.11.9 11.1.0-11.1.2 11.2.0-11.2.1 - Incorrect Authorization via Jira Plugin
Title source: llmDescription
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to via the /create-issue API endpoint by providing the post ID of an inaccessible post.. Mattermost Advisory ID: MMSA-2025-00550
References (1)
Core 1
Core References
Various Sources vendor-advisory
https://mattermost.com/security-updates
Scores
CVSS v3
4.3
EPSS
0.0001
EPSS Percentile
1.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (2)
mattermost/mattermost-server
11.2.0 - 11.2.2Go
mattermost/mattermost_server
10.11.0 - 10.11.10
Published
Feb 13, 2026
Tracked Since
Feb 18, 2026