CVE-2026-22892 — Incorrect Authorization in Mattermost Mattermost-server

CWE-863 — Incorrect Authorization6 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 99.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-server Mattermost Server Mattermost

Timeline

PublishedFeb 13

Latest updateFeb 23

Description

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to via the /create-issue API endpoint by providing the post ID of an inaccessible post.. Mattermost Advisory ID: MMSA-2025-00550

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶NVDmattermost/mattermost_server10.11.0 — 10.11.10+2

▶Gogithub.com/mattermost_mattermost-server11.2.0 — 11.2.2+5

▶CVEListV5mattermost/mattermost11.1.0 — 11.1.2+2

🔴Vulnerability Details

OSV

Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts in github.com/mattermost/mattermost-server↗2026-02-23

▶

CVEList

Insufficient Authorization in Mattermost Jira Plugin Allows Unauthorized Access to Post Attachments↗2026-02-13

▶

OSV

Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts↗2026-02-13

▶

GHSA

Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts↗2026-02-13

▶

🕵️Threat Intelligence

Wiz

CVE-2026-22892 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶