Bugcrowd issues Issue Type Icon ESFJ-2231

[Bugcrowd] Jira users can get comments from issues that they have no access to

Description

Note: This issue could not be reproduced by QA team, on either QA or PROD environment.

We’ve went through the reproduction steps multiple times but never received the mail after intercepting the /mention request. (Part 2 steps 9-10)

Below is the original description provided by the researcher.

I found that users can create mentions with id of an issue and id of a comment in the issue, even when they have no access to the issue. After that the mentioned user receives an email with the comment content. The attacker must know id of an issue and id of a comment in the issue, but it does not look as a strong restrictions as the ids can be enumerated.

Steps to reproduce:

Part 1. Configuration

  1. Log in as admin

  2. Go to https://<YOUR_INSTANCE>.atlassian.net/jira/projects?page=1&sortKey=name&sortOrder=ASC

  3. Click Create space

  4. Select any space from Software development tab -> Use template -> Select a team-managed space

  5. Fill all required fields and set Access value to Private (not available on a free plan, you will see a link to upgrade plan on a free plan):

  1. Click Next

  2. On the Bring your team along do not invite any users and click Skip

  3. Click Continue

  4. Create an issue in the created space

  5. Open the created issue and add a comment

  6. To get required ids add any reaction to the comment

  7. Go to requests history and find there a request to /gateway/api/reactions/reactions. Get id of the comment from ari and id of the issue from containerAri (the values looks like ari:cloud:jira:<CLOUD_UUID>:comment/<COMMENT_ID> and ari:cloud:jira:<CLOUD_UUID>:issue/<ISSUE_ID> correspondingly). Note that we need only the integer id

Part 2. The vulnerability

  1. Log in as non-admin who has no access to the created project and ensure that you cannot open the issue

  2. Open any issue that you have access to, add a comment

  3. Click ... in the top right corner -> Create external share

  4. Copy the url of the share from the top and open it

  5. Click My account and log in via Atlassian, click to activate your account

  6. Open again the issue and click Create external share again

  7. Open the Mentions tab

  8. Click Add mention

  9. Type your email as in the Atlassian account, select any comment (if there is no comments on the issue, add one), click Add mention and intercept the request to /api/share/<SHARE_UUID>/mention in Burp Suite

  10. Change the workItemId to the issue id and commentId to the comment id (from step 12 of part 1) and process the request

  11. Check your email inbox, there will be email with the comment content

Activity

Show:
Adam Lipiński 19 March 2026, 10:29

QA pass completed. I still could not reproduce the issue, however no regressions were found with mention functionality. We’ll ask researched to double check on their end.

Adam Lipiński 16 March 2026, 11:04

I am not sure if this is something I am doing wrong but I am getting 500 Internal Server Error when I try to send the modified request.

Released

Details

Priority

Priority: HighHigh

Created

16 March 2026, 11:37

Updated

25 March 2026, 09:42
Created: 16 March 2026, 10:37 Updated: 25 March 2026, 08:42