How serious is CVE-2026-22892?

This vulnerability has a CVSS score of 4.3 out of 10, classified as MEDIUM severity. No public exploit code has been identified yet.

Which products are affected by CVE-2026-22892?

CVE-2026-22892 affects mattermost mattermost server. Check the full CVE details for specific version information.

How do I fix CVE-2026-22892?

To remediate CVE-2026-22892, check for security patches from mattermost. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-22892

Medium

|4.3

No Exploit

Plain English Summary

AI-powered analysis for quick understanding

An attacker who has access to the Jira plugin in Mattermost can exploit a flaw to read messages and attachments from private channels they shouldn't have access to by using the ID of a specific post. This vulnerability affects certain versions of Mattermost and requires the attacker to be authenticated in the system.

Technical Description

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to via the /create-issue API endpoint by providing the post ID of an inaccessible post.. Mattermost Advisory ID: MMSA-2025-00550

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

Confidentiality ImpactLow

Integrity ImpactNone

Availability ImpactNone

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$552($500-$1K)

Vendor Response

Grade APatched in 5 days

Quick Information

Published

Feb 13, 2026

8 days ago

Last Modified

Feb 18, 2026

2 days ago

Vendor

mattermost

Product

mattermost server