CVE-2026-12225: syracom Secure Login (2FA) for Confluence allows 2FA bypass via spoofed User-Agent
syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containing specific strings such as AtlassianMobileApp or JIRA. When such a User-Agent is present, the plugin does not enforce the configured 2FA checks for protected web resources. Successful exploitation allows the attacker to access the affected Atlassian application as the compromised user without completing 2FA. If the compromised account has administrative privileges, the attacker can access administrative functionality and may disable the 2FA plugin or make arbitrary administrative changes. The issue is fixed in version 3.5.0.0.
Metrics
- CVSS v4.0
- 8.7
- Severity
- HIGH
- Fixed in
- 3.5.0.0
- Affected Products
- 3
HarborGuard Analysis
Synopsis
This is an authentication bypass vulnerability in syracom AG Secure Login (2FA) for Atlassian Jira, Confluence, and Bitbucket versions in the 3.4.0.x range. An attacker who already holds valid credentials for any account can skip the two-factor authentication step entirely by sending HTTP requests with a crafted User-Agent header containing strings like AtlassianMobileApp or JIRA, which the plugin incorrectly treats as trusted mobile clients exempt from 2FA enforcement. Successful exploitation grants full authenticated access to the Atlassian application without 2FA, and if the compromised account is an administrator, the attacker can disable the 2FA plugin or make arbitrary administrative changes. A patched-image rebuild at version 3.5.0.0 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-12225 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication using feeds from upstream advisory sources including the CNA SEC-VLab. Coverage extends to custom-built images that bundle the syracom Secure Login plugin, not just images pulled from public registries.
AvailableHarborGuard is capable of scoring this CVE at CVSS v4.0 8.7 (HIGH) and applying per-environment compliance policy weighting to determine urgency before routing findings to the appropriate team inbox within each customer organization. Because this vulnerability directly undermines 2FA controls, compliance policies that enforce MFA requirements may elevate its effective priority beyond the base score.
AvailableA patched-image rebuild at version 3.5.0.0 becomes available through HarborGuard once the fix version is matched to an affected image in a customer registry or pipeline. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the Atlassian application over the network to send the crafted HTTP request; any internet-exposed or intranet-accessible instance is in scope.
- AuthenticationRequired
The attacker needs a valid low-privilege account on the Atlassian instance; no admin rights are required to bypass 2FA, though higher-privilege accounts amplify impact.
- Victim interactionNot required
No user action or social engineering is needed; the attacker sends crafted requests directly to the application without any victim participation.
- Attack complexityDetail
Exploitation is straightforward and condition-free: the attacker simply includes a specific string in the User-Agent header, with no race conditions or memory-layout dependencies to manage.
Blast Radius
- Attacker gains full authenticated session access to Jira, Confluence, or Bitbucket as the credential-holder, bypassing the 2FA control entirely.
- Reads all content and data accessible to the compromised account, including confidential pages, repositories, and project data.
- Writes or modifies content, tickets, repository commits, and configuration items within the permissions of the compromised account.
- If the compromised account holds administrator privileges, the attacker can disable the 2FA plugin, create new admin accounts, or make arbitrary platform-wide configuration changes.
How HarborGuard Handles This
Available on HarborGuard: detection of CVE-2026-12225 is matched against customer images within minutes of advisory ingestion, covering both registry-pulled and custom-built images that include the syracom Secure Login plugin. A patched-image rebuild at version 3.5.0.0 is available for any environment where an affected 3.4.0.x image is identified. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, run regression tests, and open a PR against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy permits, teams are encouraged to treat this as urgent given that the bypass directly disables a second authentication factor with no victim interaction required. As an interim compensating control before patching, consider restricting network-level access to Atlassian application ports to known IP ranges and reviewing access logs for requests carrying AtlassianMobileApp or JIRA User-Agent strings originating from unexpected clients.
Fix available
- syracom AG / Secure Login (2FA) for Jira< 3.5.0.0 (from 3.4.0.0)
- syracom AG / Secure Login (2FA) for Confluence< 3.5.0.0 (from 3.4.0.0)
- syracom AG / Secure Login (2FA) for Bitbucket3.4.0.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N