CVE Catalog

CVE-2026-12225

HighCVSS 8.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

27th percentile — higher than 27% of all known CVEs

Summary

The syracom AG Secure Login (2FA) plugin for Atlassian Jira, Confluence, and Bitbucket version 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid login credentials can bypass the two-factor authentication process by sending crafted HTTP requests with a specific User-Agent header.

Risk Assessment

Exploitation of this vulnerability allows the attacker to access the Atlassian application as the compromised user, which can lead to serious security breaches, especially if the compromised account has administrative privileges.

Recommendation

It is recommended to update the plugin to version 3.5.0.0 to eliminate this vulnerability and to review and monitor user accounts for unauthorized activities.

Original NVD description (English source)

syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containing specific strings such as AtlassianMobileApp or JIRA. When such a User-Agent is present, the plugin does not enforce the configured 2FA checks for protected web resources. Successful exploitation allows the attacker to access the affected Atlassian application as the compromised user without completing 2FA. If the compromised account has administrative privileges, the attacker can access administrative functionality and may disable the 2FA plugin or make arbitrary administrative changes. The issue is fixed in version 3.5.0.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS