CVE-2026-6673 Overview
CVE-2026-6673 affects Mattermost Server and enables a remote attacker to compromise the Jira integration via the Atlassian Connect installation flow. The flaw stems from missing authentication [CWE-306] on the /ac/installed callback endpoint. An unauthenticated attacker can submit a crafted POST request during the pending-install window and inject a rogue sharedSecret. This breaks the trust relationship between Mattermost and Jira, disrupting the integration. Mattermost tracks the issue as advisory MMSA-2026-00654.
Critical Impact
A successful attack lets an unauthenticated remote attacker hijack the Atlassian Connect trust handshake, replace the shared secret, and disrupt the Jira integration.
Affected Products
- Mattermost Server 11.7.x up to and including 11.7.0
- Mattermost Server 11.6.x up to and including 11.6.2, and 11.5.x up to and including 11.5.5
- Mattermost Server 10.11.x up to and including 10.11.17
Discovery Timeline
- 2026-06-22 - CVE-2026-6673 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-6673
Vulnerability Analysis
Mattermost integrates with Jira through the Atlassian Connect protocol. During installation, Jira sends a lifecycle callback to the Mattermost endpoint /ac/installed. This callback contains a sharedSecret that both sides use to sign subsequent JWTs. The vulnerable Mattermost builds do not authenticate this callback during the pending-install window. Any network-reachable client can submit a POST request with attacker-controlled values. The server accepts the payload and replaces the legitimate sharedSecret with the injected one. Subsequent signed traffic from Jira no longer validates, which breaks the integration. The advisory categorizes the integrity impact as high and the availability impact as high.
Root Cause
The root cause is Missing Authentication for a Critical Function [CWE-306]. The lifecycle endpoint /ac/installed does not verify that the caller is the legitimate Atlassian Connect tenant. Mattermost should validate the incoming JWT signed by the install key, but the affected versions skip this check while an install is pending.
Attack Vector
The attacker needs network access to the Mattermost server and must time the request during an active pending-install window for the Atlassian Connect app. The attacker sends a POST request to /ac/installed with a JSON body containing fields such as clientKey, sharedSecret, and baseUrl. Mattermost stores these values without verifying provenance. The high attack complexity reflects the timing requirement, while user interaction reflects the need for an administrator to initiate the install flow.
No verified public exploit code is available. See the Mattermost Security Updates advisory for vendor technical details.
Detection Methods for CVE-2026-6673
Indicators of Compromise
- Unexpected POST requests to the /ac/installed path from IP addresses that are not the configured Atlassian Cloud egress ranges.
- clientKey or sharedSecret values in the Mattermost plugin store that do not match the values registered in the corresponding Jira instance.
- Jira integration failures or signature validation errors appearing in Mattermost server logs shortly after an install attempt.
Detection Strategies
- Inspect reverse proxy and web server access logs for POST requests to /ac/installed and correlate the source IP against Atlassian's published egress ranges.
- Alert on multiple /ac/installed callbacks for the same clientKey within a short window, which can indicate a race against the legitimate Jira callback.
- Audit the Mattermost Jira plugin configuration after every install or reinstall to confirm the stored sharedSecret matches the expected tenant.
Monitoring Recommendations
- Forward Mattermost application logs and proxy logs to a centralized analytics platform such as Singularity Data Lake for retention and correlation.
- Build a watchlist that flags lifecycle callbacks occurring outside maintenance windows where an admin is not actively installing the Jira app.
- Track failed JWT signature validations on subsequent Atlassian Connect API calls as a downstream signal of secret tampering.
How to Mitigate CVE-2026-6673
Immediate Actions Required
- Upgrade Mattermost Server to a fixed release above 11.7.0, 11.6.2, 11.5.5, or 10.11.17 as published in the Mattermost security advisory.
- Restrict network access to /ac/installed so that only Atlassian Cloud egress IP ranges can reach the endpoint at the proxy layer.
- Uninstall and reinstall the Jira plugin if there is any evidence of an unauthorized callback, then rotate the resulting sharedSecret.
Patch Information
Mattermost has released fixed versions and documents them under advisory MMSA-2026-00654. Refer to the Mattermost Security Updates page for the current patched build numbers and upgrade guidance.
Workarounds
- Avoid leaving the Atlassian Connect install in a pending state; complete or cancel the flow promptly to minimize the exposure window.
- Place the Mattermost server behind a reverse proxy that enforces source IP allowlisting for the /ac/installed path.
- Disable the Jira plugin until the upgrade is applied if administrators cannot constrain network access to the callback endpoint.
# Example NGINX restriction for the Atlassian Connect lifecycle endpoint
location = /ac/installed {
allow 13.52.5.96/28; # Atlassian Cloud egress range (verify current list)
allow 13.236.8.224/28;
deny all;
proxy_pass http://mattermost_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

