CVE-2026-6673
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, and 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration.
Risk Assessment
An attacker could exploit this vulnerability to take control of the Jira integration, potentially leading to data loss or disruption of system operations.
Recommendation
It is recommended to update Mattermost to the latest version to mitigate this vulnerability and ensure proper authentication for Atlassian Connect callbacks.
Original NVD description (English source)
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the pending-install window.. Mattermost Advisory ID: MMSA-2026-00654

