Authentication Bypass Vulnerability in Secure Login (2FA) for Atlassian Products by syracom AG
CVE-2026-12225

8.7HIGH

Key Information:

Vendor

Syracom Ag

Status
Secure Login (2fa) For Jira
Secure Login (2fa) For Confluence
Secure Login (2fa) For Bitbucket
Vendor
CVE Published:
16 June 2026

What is CVE-2026-12225?

The Secure Login (2FA) plugin for Atlassian applications including Jira, Confluence, and Bitbucket allows an attacker with valid user credentials to bypass the two-factor authentication process. By sending a specially crafted User-Agent header, such as 'AtlassianMobileApp' or 'JIRA', the vulnerability prevents the enforcement of the 2FA checks for protected resources. This results in unauthorized access to the affected Atlassian applications, enabling the attacker to operate as the compromised user. If the accessed account possesses administrative rights, the attacker may alter administrative settings, including disabling two-factor authentication or executing arbitrary changes within the application. The vulnerability is resolved in version 3.5.0.0.

Affected Version(s)

Secure Login (2FA) for Bitbucket 3.4.0.0

Secure Login (2FA) for Confluence 3.4.0.0 < 3.5.0.0

Secure Login (2FA) for Jira 3.4.0.0 < 3.5.0.0

References

https://marketplace.atlassian.com/apps/1214491/secure-log...
product
https://syracom-bee.atlassian.net/wiki/spaces/SL/pages/41...
vendor-advisory
https://syracom-bee.atlassian.net/wiki/spaces/SL/pages/42...
mitigation

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Laurentius von Oppenkowski, SEC Consult Vulnerability Lab
Timo MĂĽller, SEC Consult Vulnerability Lab
.