CVE-2022-26135

Name: CVE-2022-26135
Creator: NVD / NIST
Published: 2022-06-30T06:15:07.693+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 71.17%

Last modified Jun 17, 2026

CVE-2022-26135 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. EPSS estimates a 71.17% chance of exploitation in the next 30 days.

Description

A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 before version 8.13.22, from version 8.14.0 before 8.20.10, from version 8.21.0 before 8.22.4. This also affects Jira Management Server and Data Center versions from version 4.0.0 before 4.13.22, from version 4.14.0 before 4.20.10 and from version 4.21.0 before 4.22.4.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

71.17%

99.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Atlassian	Jira Data Center	>= 8.0.0, < 8.13.22
Atlassian	Jira Data Center	>= 8.14.0, < 8.20.10
Atlassian	Jira Data Center	>= 8.21.0, < 8.22.4
Atlassian	Jira Server	>= 8.0.0, < 8.13.22
Atlassian	Jira Server	>= 8.14.0, < 8.20.10
Atlassian	Jira Server	>= 8.21.0, < 8.22.4
Atlassian	Jira Service Desk	>= 4.0.0, < 4.13.22
Atlassian	Jira Service Management	>= 4.14.0, < 4.20.10
Atlassian	Jira Service Management	>= 4.21.0, < 4.22.4

References

https://confluence.atlassian.com/display/JIRA/Jira+Server+Security+Advisory+29nd+June+2022Mitigation, Vendor Advisory
https://jira.atlassian.com/browse/JRASERVER-73863Vendor Advisory
https://jira.atlassian.com/browse/JSDSERVER-11840Vendor Advisory
https://confluence.atlassian.com/display/JIRA/Jira+Server+Security+Advisory+29nd+June+2022Mitigation, Vendor Advisory
https://jira.atlassian.com/browse/JRASERVER-73863Vendor Advisory
https://jira.atlassian.com/browse/JSDSERVER-11840Vendor Advisory

Timeline

Published: Jun 30, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-26135?

How severe is CVE-2022-26135?

CVE-2022-26135 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 71.17% probability of exploitation in the next 30 days.

How do I fix CVE-2022-26135?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-26135?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST