Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Mattermost: Unauthorized users can read sensitive Jira issue data
CVE-2026-22892
GHSA-9pj7-jh2r-87g8
Summary
When creating Jira issues from Mattermost posts, users with authorized access to the Jira plugin can read content and attachments from channels they shouldn't have access to. This applies to users who have access to the /create-issue API endpoint. To fix this, update Mattermost to the latest version, which includes the necessary permission checks.
What to do
- Update github.com mattermost to version 11.2.2.
- Update github.com mattermost to version 11.1.3.
- Update github.com mattermost to version 10.11.10.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | mattermost | > 11.2.0 , <= 11.2.1 | 11.2.2 |
| github.com | mattermost | > 11.1.0 , <= 11.1.2 | 11.1.3 |
| github.com | mattermost | > 10.11.0 , <= 10.11.9 | 10.11.10 |
| mattermost | mattermost_server | > 10.11.0 , <= 10.11.10 | – |
| mattermost | mattermost_server | > 11.0.0 , <= 11.1.3 | – |
| mattermost | mattermost_server | > 11.2.0 , <= 11.2.2 | – |
Original title
Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts
Original description
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to via the /create-issue API endpoint by providing the post ID of an inaccessible post.. Mattermost Advisory ID: MMSA-2025-00550
nvd CVSS3.1
4.3
Vulnerability type
CWE-863
Incorrect Authorization
Published: 13 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026