CVE-2026-22892 MEDIUM

CVE-2026-22892: Insufficient Authorization in Mattermost Jira Plugin Allows Unauthorized Access to Post Attachments

Vendor Mattermost

Product Mattermost

Weakness CWE-863 · Incorrect authorization

Published February 13, 2026

Last update February 13, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to via the /create-issue API endpoint by providing the post ID of an inaccessible post.. Mattermost Advisory ID: MMSA-2025-00550

Key dates

02Disclosure timeline

February 13, 2026 CVE published

February 13, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-22892 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

Identifiers

CVE CVE-2026-22892

CWE CWE-863

CVSS 4.3 / MEDIUM

Affected versions

Vendor Mattermost

Product Mattermost

Affected ≥ 11.1.0 and ≤ 11.1.2

Vendor Mattermost

Product Mattermost

Affected ≥ 10.11.0 and ≤ 10.11.9

Vendor Mattermost

Product Mattermost

Affected ≥ 11.2.0 and ≤ 11.2.1

CVE-2026-22892: Insufficient Authorization in Mattermost Jira Plugin Allows Unauthorized Access to Post Attachments

01Description

02Disclosure timeline

03References

04Related CVE