Skip to main content
CVE Vulnerability Database

CVE-2026-6673: Mattermost Server Auth Bypass Vulnerability

CVE-2026-6673 is an authentication bypass flaw in Mattermost Server that allows attackers to inject rogue credentials and disrupt Jira integration. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-6673 Overview

CVE-2026-6673 affects Mattermost Server and enables a remote attacker to compromise the Jira integration via the Atlassian Connect installation flow. The flaw stems from missing authentication [CWE-306] on the /ac/installed callback endpoint. An unauthenticated attacker can submit a crafted POST request during the pending-install window and inject a rogue sharedSecret. This breaks the trust relationship between Mattermost and Jira, disrupting the integration. Mattermost tracks the issue as advisory MMSA-2026-00654.

Critical Impact

A successful attack lets an unauthenticated remote attacker hijack the Atlassian Connect trust handshake, replace the shared secret, and disrupt the Jira integration.

Affected Products

  • Mattermost Server 11.7.x up to and including 11.7.0
  • Mattermost Server 11.6.x up to and including 11.6.2, and 11.5.x up to and including 11.5.5
  • Mattermost Server 10.11.x up to and including 10.11.17

Discovery Timeline

  • 2026-06-22 - CVE-2026-6673 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-6673

Vulnerability Analysis

Mattermost integrates with Jira through the Atlassian Connect protocol. During installation, Jira sends a lifecycle callback to the Mattermost endpoint /ac/installed. This callback contains a sharedSecret that both sides use to sign subsequent JWTs. The vulnerable Mattermost builds do not authenticate this callback during the pending-install window. Any network-reachable client can submit a POST request with attacker-controlled values. The server accepts the payload and replaces the legitimate sharedSecret with the injected one. Subsequent signed traffic from Jira no longer validates, which breaks the integration. The advisory categorizes the integrity impact as high and the availability impact as high.

Root Cause

The root cause is Missing Authentication for a Critical Function [CWE-306]. The lifecycle endpoint /ac/installed does not verify that the caller is the legitimate Atlassian Connect tenant. Mattermost should validate the incoming JWT signed by the install key, but the affected versions skip this check while an install is pending.

Attack Vector

The attacker needs network access to the Mattermost server and must time the request during an active pending-install window for the Atlassian Connect app. The attacker sends a POST request to /ac/installed with a JSON body containing fields such as clientKey, sharedSecret, and baseUrl. Mattermost stores these values without verifying provenance. The high attack complexity reflects the timing requirement, while user interaction reflects the need for an administrator to initiate the install flow.

No verified public exploit code is available. See the Mattermost Security Updates advisory for vendor technical details.

Detection Methods for CVE-2026-6673

Indicators of Compromise

  • Unexpected POST requests to the /ac/installed path from IP addresses that are not the configured Atlassian Cloud egress ranges.
  • clientKey or sharedSecret values in the Mattermost plugin store that do not match the values registered in the corresponding Jira instance.
  • Jira integration failures or signature validation errors appearing in Mattermost server logs shortly after an install attempt.

Detection Strategies

  • Inspect reverse proxy and web server access logs for POST requests to /ac/installed and correlate the source IP against Atlassian's published egress ranges.
  • Alert on multiple /ac/installed callbacks for the same clientKey within a short window, which can indicate a race against the legitimate Jira callback.
  • Audit the Mattermost Jira plugin configuration after every install or reinstall to confirm the stored sharedSecret matches the expected tenant.

Monitoring Recommendations

  • Forward Mattermost application logs and proxy logs to a centralized analytics platform such as Singularity Data Lake for retention and correlation.
  • Build a watchlist that flags lifecycle callbacks occurring outside maintenance windows where an admin is not actively installing the Jira app.
  • Track failed JWT signature validations on subsequent Atlassian Connect API calls as a downstream signal of secret tampering.

How to Mitigate CVE-2026-6673

Immediate Actions Required

  • Upgrade Mattermost Server to a fixed release above 11.7.0, 11.6.2, 11.5.5, or 10.11.17 as published in the Mattermost security advisory.
  • Restrict network access to /ac/installed so that only Atlassian Cloud egress IP ranges can reach the endpoint at the proxy layer.
  • Uninstall and reinstall the Jira plugin if there is any evidence of an unauthorized callback, then rotate the resulting sharedSecret.

Patch Information

Mattermost has released fixed versions and documents them under advisory MMSA-2026-00654. Refer to the Mattermost Security Updates page for the current patched build numbers and upgrade guidance.

Workarounds

  • Avoid leaving the Atlassian Connect install in a pending state; complete or cancel the flow promptly to minimize the exposure window.
  • Place the Mattermost server behind a reverse proxy that enforces source IP allowlisting for the /ac/installed path.
  • Disable the Jira plugin until the upgrade is applied if administrators cannot constrain network access to the callback endpoint.
bash
# Example NGINX restriction for the Atlassian Connect lifecycle endpoint
location = /ac/installed {
    allow 13.52.5.96/28;     # Atlassian Cloud egress range (verify current list)
    allow 13.236.8.224/28;
    deny all;
    proxy_pass http://mattermost_upstream;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.