CVE-2026-22892: Confused Deputy in the Chatroom: Dissecting CVE-2026-22892

Source: Dev.to

TL;DR

The Mattermost Jira Plugin failed to verify user permissions when creating Jira issues from Mattermost posts. An attacker with a valid Post ID can force the plugin to retrieve and display content from private channels they cannot access. Fixed in version 11.3.0 and related patch releases.

Technical Details

• Vulnerability ID: CVE-2026-22892
• CWE: CWE‑863 (Incorrect Authorization)
• CVSS v3.1: 4.3 (Medium)
• Attack Vector: Network (Authenticated)
• Privileges Required: Low (User)
• EPSS Score: 0.01 % (Low)
• Exploit Status: None (No Public Exploit)

Affected Systems

• Mattermost Server (Jira Plugin) 10.11.x  Management**.

3. Locate Jira in the list.
4. Click Update to install version 11.3.0 or higher.
5. Alternatively, upgrade the Mattermost Server to a patched release (e.g., 10.11.10, 11.1.3, 11.2.2) that bundles the fixed plugin.

References

• Mattermost Security Updates
• NVD – CVE‑2026‑22892