CVE-2026-12225
Description
The syracom Secure Login 2FA plugin for Atlassian products allows attackers to bypass two-factor authentication via a crafted User-Agent header.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The syracom Secure Login 2FA plugin for Atlassian products allows attackers to bypass two-factor authentication via a crafted User-Agent header.
Vulnerability
The vulnerability exists in syracom AG's Secure Login (2FA) plugin for Atlassian Jira, Confluence, and Bitbucket, versions 3.4.0.x [1][2]. When an HTTP request is sent with a User-Agent header containing strings such as AtlassianMobileApp or JIRA, the plugin's code does not enforce configured two-factor authentication checks, allowing access to protected web resources without completing the second factor [1][2]. The plugin treats such requests as mobile app authentication and skips 2FA enforcement.
Exploitation
An attacker needs valid credentials for a target user account. They authenticate with username and password, then send subsequent requests with a crafted User-Agent header containing the bypass string (e.g., AtlassianMobileApp). The plugin does not require the second factor for these requests, granting access as the authenticated user [1][2]. No additional privileges or user interaction are required beyond the initial credential compromise.
Impact
Successful exploitation allows the attacker to bypass 2FA and access the Atlassian application as the compromised user. If that user has administrative privileges, the attacker can access admin functionality and potentially disable the 2FA plugin or make arbitrary administrative changes [1]. The core compromise is authentication bypass leading to privilege escalation in the context of the user's role.
Mitigation
The issue is fixed in version 3.5.0.0, released May 11, 2026 [2][3]. Administrators should update immediately. For environments where mobile app login is blocked by default after the fix (Jira >=10.2.x, Confluence >=9.1.0), a legacy flag -Datlassian.authentication.legacy.mode=true can be set, but only with proper understanding that 2FA is enforced in that mode [2]. No workaround other than upgrading is recommended; the vulnerable 3.4.0.x series should be considered end-of-life.
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >=3.4.0.0, <3.5.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin skips all 2FA enforcement when the HTTP User-Agent header contains the strings 'AtlassianMobileApp' or 'JIRA'."
Attack vector
An attacker who possesses valid credentials for any user account (obtained via password leak, phishing, or other means) sends HTTP requests to the Atlassian application with a crafted User-Agent header containing the string "AtlassianMobileApp" or "JIRA" [ref_id=1]. Because the plugin skips all 2FA checks when it sees such a User-Agent, the attacker is logged in without being prompted for a second factor. If the compromised account has administrative privileges, the attacker can then access admin functionality, disable the 2FA plugin, or make arbitrary configuration changes [ref_id=1]. This is a classic broken access control / authentication bypass [CWE-287].
Affected code
The Secure Login (2FA) plugin for Atlassian Jira, Confluence, and Bitbucket contains a broken access control flaw. The plugin checks the HTTP User-Agent header and, if it contains strings such as "AtlassianMobileApp" or "JIRA", skips all 2FA enforcement for the request. This vulnerable code branch is triggered before any authorization checks are applied to protected web resources.
What the fix does
The advisory states that the vendor provides a patch in version 3.5.0.0 [ref_id=1]. The patch likely removes the dangerous code branch that exempts requests with specific User-Agent strings from 2FA enforcement, or replaces it with proper authentication checks that apply regardless of the User-Agent header. Without the patch, any request carrying a User-Agent containing "AtlassianMobileApp" or "JIRA" bypasses all 2FA protections entirely.
Preconditions
- authAttacker must possess valid credentials for a user account on the Atlassian application
- inputAttacker must send HTTP requests with a User-Agent header containing 'AtlassianMobileApp' or 'JIRA'
Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- marketplace.atlassian.com/apps/1214491/secure-login-2fa-for-confluencenvd
- r.sec-consult.com/syracomnvd
- syracom-bee.atlassian.net/wiki/spaces/SL/pages/4193255427/2026-05-11+-+Secure+Login+security+advisory+-+Broken+Access+Controlnvd
- syracom-bee.atlassian.net/wiki/spaces/SL/pages/4230217729/Mobile+app+login+does+not+work+with+Secure+Loginnvd
News mentions
0No linked articles in our index yet.