Unsecured Authentication in Mattermost Affecting Jira Integration
CVE-2026-6673

6.4MEDIUM

Key Information:

Vendor: Mattermost
Status: Mattermost
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-6673?

Certain versions of Mattermost are vulnerable due to a failure to authenticate Atlassian Connect installed callbacks. This weakness allows remote unauthenticated attackers to inject a rogue sharedSecret during the pending-install window, potentially disrupting the integration with Jira through malicious POST requests to the /ac/installed endpoint. Users of affected Mattermost versions should implement appropriate security measures and upgrade to patch the vulnerability.

Affected Version(s)

Mattermost 11.7.0

Mattermost 11.6.0 <= 11.6.2

Mattermost 11.5.0 <= 11.5.5

References

https://mattermost.com/security-updates

vendor-advisory

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

insomnia1102

CVE-2026-6673 Data

JSON