Moderate severityNVD Advisory· Published Feb 13, 2026· Updated Feb 13, 2026
Insufficient Authorization in Mattermost Jira Plugin Allows Unauthorized Access to Post Attachments
CVE-2026-22892
Description
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to via the /create-issue API endpoint by providing the post ID of an inaccessible post.. Mattermost Advisory ID: MMSA-2025-00550
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | >= 11.2.0, < 11.2.2 | 11.2.2 |
github.com/mattermost/mattermost-serverGo | >= 11.1.0, < 11.1.3 | 11.1.3 |
github.com/mattermost/mattermost-serverGo | >= 10.11.0, < 10.11.10 | 10.11.10 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 11.2.0, < 11.2.2+ 1 more
- (no CPE)range: >= 11.2.0, < 11.2.2
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
- Range: 11.1.0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-9pj7-jh2r-87g8ghsaADVISORY
- mattermost.com/security-updatesghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-22892ghsaADVISORY
News mentions
0No linked articles in our index yet.