CVE-2025-22169 – Jira Align has an authorization vulnerability w... (How to Fix)

Q: What is the severity of CVE-2025-22169?

CVE-2025-22169 has a CVSS score of 5.4 (MEDIUM). Jira Align has an authorization vulnerability where low-privilege users can access endpoints they shouldn't, potentially exposing sensitive information. This affects all organizations using vulnerable versions of Jira Align, allowing unauthorized users to perform actions like subscribing to items without proper permissions.

📋 TL;DR

Jira Align has an authorization vulnerability where low-privilege users can access endpoints they shouldn't, potentially exposing sensitive information. This affects all organizations using vulnerable versions of Jira Align, allowing unauthorized users to perform actions like subscribing to items without proper permissions.

💻 Affected Systems

Products:

Atlassian Jira Align

Versions: Specific versions not disclosed in reference; check vendor advisory for details

Operating Systems: All platforms running Jira Align

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations; vulnerability exists in authorization logic regardless of configuration.

📦 What is this software?

Jira Align by Atlassian

View all CVEs affecting Jira Align →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Low-privilege users could access sensitive configuration data, user information, or business metrics, potentially leading to data leakage or unauthorized system modifications.

🟠

Likely Case

Unauthorized users can view limited sensitive information or perform minor unauthorized actions like subscribing to objects, causing data integrity issues.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to minor information disclosure with no critical system compromise.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated low-privilege user account; exploitation involves discovering and accessing unauthorized endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Jira Align release notes for specific fixed version

Vendor Advisory: https://jira.atlassian.com/browse/JIRAALIGN-8638

Restart Required: No

Instructions:

1. Review Jira Align release notes for security fixes. 2. Apply the latest security patch from Atlassian. 3. Verify authorization controls are functioning correctly post-update.

🔧 Temporary Workarounds

Temporary Access Restriction

all

Implement additional access controls or monitoring for low-privilege users

🧯 If You Can't Patch

Implement strict principle of least privilege for all user accounts
Enable detailed audit logging for all endpoint access attempts

🔍 How to Verify

Check if Vulnerable:

Test with low-privilege user account attempting to access endpoints beyond their role scope

Check Version:

Check Jira Align administration panel for current version

Verify Fix Applied:

After patching, retest with low-privilege user to confirm unauthorized access is blocked

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to restricted endpoints
Unusual subscription activities from low-privilege accounts

Network Indicators:

HTTP requests to sensitive endpoints from unauthorized user accounts

SIEM Query:

source="jira-align" AND (event_type="access_denied" OR endpoint="*/restricted/*") AND user_role="low_privilege"

📊 Metadata

CVE ID: CVE-2025-22169

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-285

EPSS Score: 0.05% exploit probability (14th percentile)

Published: October 22, 2025

Last Updated: October 24, 2025

🔗 References

https://jira.atlassian.com/browse/JIRAALIGN-8638 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22169, you might also want to check these: