Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12225

CVE-2026-12225: Secure Login 2FA Auth Bypass Vulnerability

CVE-2026-12225 is an authentication bypass flaw in syracom AG Secure Login 2FA for Atlassian products. Attackers can bypass 2FA using crafted User-Agent headers. This article covers technical details, impact, and fixes.

Published:

CVE-2026-12225 Overview

CVE-2026-12225 is an authentication bypass vulnerability in syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket version 3.4.0.x. The plugin fails to enforce two-factor authentication when incoming HTTP requests carry specific User-Agent strings such as AtlassianMobileApp or JIRA. An attacker holding valid user credentials can skip the 2FA challenge by spoofing the header. The flaw is tracked as [CWE-288: Authentication Bypass Using an Alternate Path or Channel]. syracom AG resolved the issue in version 3.5.0.0.

Critical Impact

An attacker with stolen credentials can bypass 2FA on Atlassian Jira, Confluence, or Bitbucket and, if the account is an administrator, disable the plugin or make arbitrary administrative changes.

Affected Products

  • syracom AG Secure Login (2FA) for Atlassian Jira 3.4.0.x
  • syracom AG Secure Login (2FA) for Atlassian Confluence 3.4.0.x
  • syracom AG Secure Login (2FA) for Atlassian Bitbucket 3.4.0.x

Discovery Timeline

  • 2026-06-16 - CVE-2026-12225 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-12225

Vulnerability Analysis

The Secure Login (2FA) plugin protects Atlassian web resources by interposing a second-factor challenge after primary authentication. The plugin contains a conditional path intended to accommodate mobile clients that cannot complete the interactive 2FA flow. That path keys off the User-Agent request header. When the header contains substrings such as AtlassianMobileApp or JIRA, the plugin skips the 2FA enforcement logic for the requested resource. Because the User-Agent header is attacker-controlled, the bypass is trivial to trigger using any HTTP client.

An attacker who already holds valid credentials, obtained through phishing, password reuse, or credential stuffing, can authenticate to the Atlassian product and reach protected resources without satisfying 2FA. If the credentials belong to an administrator, the attacker reaches administrative consoles and can disable the Secure Login plugin or modify configuration. This widens the post-compromise blast radius from a single user account to the entire Atlassian instance.

Root Cause

The root cause is a trust decision based on a client-supplied header. The plugin treats User-Agent as an authoritative signal of client type rather than as untrusted input. There is no cryptographic binding, no allowlist of authenticated mobile clients, and no fallback enforcement of 2FA on the affected request paths.

Attack Vector

Exploitation requires network access to the Atlassian application and valid credentials for any account on the instance. The attacker issues an HTTP request to a protected endpoint with a User-Agent header containing one of the recognized strings, for example AtlassianMobileApp or JIRA. The plugin returns the protected content as if 2FA had been satisfied. No additional user interaction is required. See the SEC Consult Security Report and the Syracom Security Advisory for additional technical context.

Detection Methods for CVE-2026-12225

Indicators of Compromise

  • HTTP requests to Jira, Confluence, or Bitbucket carrying User-Agent values containing AtlassianMobileApp or JIRA from source IPs that have not previously been associated with mobile clients.
  • Successful authenticated sessions for users who have 2FA configured but show no corresponding 2FA challenge events in plugin logs.
  • Administrative actions, such as disabling the Secure Login plugin or modifying user permissions, originating from sessions established without a recorded 2FA event.

Detection Strategies

  • Correlate Atlassian access logs with Secure Login plugin logs to find sessions for 2FA-enrolled users that lack a matching second-factor event.
  • Baseline the population of User-Agent strings reaching protected endpoints, then alert on unexpected spikes of mobile-app user agents from server-side or scripting tooling source IPs.
  • Monitor for authenticated requests whose User-Agent contains the bypass strings but whose request patterns (URI paths, asset fetches, JavaScript execution) match a desktop browser.

Monitoring Recommendations

  • Forward Atlassian application logs, reverse-proxy access logs, and Secure Login plugin logs to a central SIEM and retain them for at least 90 days.
  • Alert on administrative API calls executed within sessions where 2FA was not enforced, especially calls that touch plugin state or user permissions.
  • Track failed and successful login events per account to surface credential stuffing or password spray activity that precedes a bypass attempt.

How to Mitigate CVE-2026-12225

Immediate Actions Required

  • Upgrade syracom AG Secure Login (2FA) to version 3.5.0.0 on all Atlassian Jira, Confluence, and Bitbucket instances where the plugin is installed.
  • Audit recent authentication and administrative activity for sessions that lack a corresponding 2FA challenge, with particular focus on administrator accounts.
  • Reset credentials for any account that shows evidence of bypass activity and review plugin configuration for unauthorized changes.

Patch Information

syracom AG fixed the vulnerability in Secure Login (2FA) version 3.5.0.0. The patched release is published on the Atlassian Marketplace App listing. Administrators should consult the Syracom Security Advisory and the Syracom Login Issue Documentation for upgrade guidance and any required configuration changes affecting mobile clients.

Workarounds

  • If patching cannot be performed immediately, block or strip requests containing the AtlassianMobileApp and JIRA user-agent substrings at an upstream reverse proxy or web application firewall.
  • Restrict administrative endpoints to a defined set of source networks so that credential-only access cannot reach administrative functionality even if 2FA is bypassed.
  • Disable mobile-app access paths in the plugin configuration until version 3.5.0.0 is deployed, accepting the operational impact on mobile users documented by the vendor.
bash
# Example nginx rule to drop the affected user-agent strings until patched
if ($http_user_agent ~* "(AtlassianMobileApp|JIRA)") {
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne