Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm

GHSA-qvmc-92vg-6r35 · CVE-2025-14273 · GO-2026-4275

Published Dec 22, 2025 · Modified Feb 3, 2026

Description

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-2025-00555

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-14273
WEB https://github.com/mattermost/mattermost-plugin-jira/commit/bf9a1b7e81eb83304056b397c6abab3b062e14a2
WEB https://github.com/mattermost/mattermost/commit/317025c411ec8c34381fdd4f137a17c63895a4f2
WEB https://github.com/mattermost/mattermost/commit/463e0d0d3930782d3c975da26c991dcbfccd751c
WEB https://github.com/mattermost/mattermost/commit/7c36acb68ce3c69defaea540623f794c84ecba93
WEB https://github.com/mattermost/mattermost/commit/92b1e705225d97ce54d9f720f2e7aa66dc2a086b
WEB https://github.com/mattermost/mattermost/commit/b57c297c6d7ae6812d85e32a625806ac9555deee
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes