CVE-2026-22892

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-22892

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22892.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-22892

Aliases

Downstream

SUSE-SU-2026:0757-1

Related

SUSE-SU-2026:0757-1

Published

2026-02-13T11:16:10.693Z

Modified

2026-04-10T05:38:54.414955Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to via the /create-issue API endpoint by providing the post ID of an inaccessible post.. Mattermost Advisory ID: MMSA-2025-00550

References

https://mattermost.com/security-updates

Affected packages

Git / github.com/mattermost/mattermost-server

Affected ranges

Type

GIT

Repo

https://github.com/mattermost/mattermost-server

Events

Introduced

5b955468ea1ea8b56c0fb10feb258a36a767d7bb

Fixed

ba27ba1f8cb1ffe2b1a79dc3d15a3ffa7de12fd7

Introduced

Fixed

7d0e4261dd4bc45162be3183ac19241f43a3f994

Introduced

ab7b138824c61fe1fe815243d7e2a914dec49c8b

Fixed

cfbe9d9254d4903777fab5957924d260cb5b74ff

Database specific

{
    "versions": [
        {
            "introduced": "10.11.0"
        },
        {
            "fixed": "10.11.10"
        },
        {
            "introduced": "11.0.0"
        },
        {
            "fixed": "11.1.3"
        },
        {
            "introduced": "11.2.0"
        },
        {
            "fixed": "11.2.2"
        }
    ]
}

Affected versions

@mattermost/client@10.*

@mattermost/client@10.11.0

@mattermost/client@11.*

@mattermost/client@11.1.0

@mattermost/types@10.*

@mattermost/types@10.11.0

@mattermost/types@11.*

@mattermost/types@11.1.0

Other

cloud-2022-07-20-1

cloud-2022-08-10-1

cloud-2022-09-08-1

cloud-2022-10-06-1

cloud-2022-11-11-1

cloud-2022-11-24-1

mattermost-redux@10.*

mattermost-redux@10.11.0

mattermost-redux@11.*

mattermost-redux@11.1.0

preview-v0.*

preview-v0.1

server/public/v0.*

server/public/v0.0.10

server/public/v0.0.11

server/public/v0.0.12

server/public/v0.0.13

server/public/v0.0.14

server/public/v0.0.15

server/public/v0.0.16

server/public/v0.0.17

server/public/v0.0.18

server/public/v0.0.5

server/public/v0.0.6

server/public/v0.0.7

server/public/v0.0.8

server/public/v0.0.9

server/public/v0.1.0

server/public/v0.1.1

server/public/v0.1.10

server/public/v0.1.11

server/public/v0.1.12

server/public/v0.1.13

server/public/v0.1.14

server/public/v0.1.15

server/public/v0.1.16

server/public/v0.1.17

server/public/v0.1.18

server/public/v0.1.19

server/public/v0.1.2

server/public/v0.1.20

server/public/v0.1.3

server/public/v0.1.4

server/public/v0.1.5

server/public/v0.1.6

server/public/v0.1.7

server/public/v0.1.8

server/public/v0.1.9

v0.*

v0.5.0

v10.*

v10.11.0

v10.11.0-rc3

v10.11.1

v10.11.1-rc1

v10.11.2

v10.11.2-rc1

v10.11.2-rc2

v10.11.3

v10.11.4

v10.11.4-rc1

v10.11.4-rc2

v10.11.4-rc3

v10.11.5

v10.11.6

v10.11.7

v10.11.8

v10.11.9

v10.11.9-rc1

v11.*

v11.1.0

v11.1.0-rc1

v11.1.0-rc2

v11.1.0-rc3

v11.1.0-rc4

v11.1.1

v11.1.1-rc1

v11.1.1-rc2

v11.1.2

v11.1.2-rc1

v11.2.0

v11.2.1

v11.2.1-rc1

v4.*

v4.10.0-rc1

v4.2.0-rc1

v4.3.0-rc1

v4.4.0-rc1

v4.5.0-rc1

v4.6.0-rc1

v4.6.0-rc2

v4.7.0-rc1

v4.8.0-rc1

v4.9.0-rc1

v5.*

v5.0.0-rc1

v5.1.0-rc1

v5.2.0-rc1

v5.2.0-rc2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22892.json"