Management summary
The Secure Login (2FA) plugin for Atlassian Jira, Confluence, and Bitbucket was vulnerable to a flaw that allowed attackers to bypass the implemented multi-factor authentication (MFA). Successful exploitation allowed an attacker with access to valid user credentials to completely bypass MFA protection.
Vendor description
"The ORIGINAL: Strong Security via 2FA auth. for Confluence, efficient but user friendly without any external 2-factor systems"
Business recommendation
The vendor provides a patch which should be installed immediately. More details can be found at the end of this advisory.
SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.
Vulnerability overview/description
1) Broken Access Control allows 2FA bypass (CVE-2026-12225)
"Secure Login (2FA) for Confluence" by syracom AG is a plugin which allows administrators to integrate a 2FA workflow into their Confluence instance. The plugin contains a broken access control vulnerability that allows an attacker to bypass the Two-Factor Authentication process with any account by using a specific user agent in their HTTP requests.
When bypassing the 2FA flow, an attacker can access the entire page and all settings even though the 2FA plugin should block every request for web directories that are not included in its allowlist. In the worst case this can be abused to make administrative changes to the Confluence instance, like deactivating the 2FA plugin entirely, and making arbitrary administrative changes.
This vulnerability is present as the plugin contains a vulnerable code branch if it encounters specific user agents, such as the Confluence mobile app user agent. For each request in which such a specific user agent is present, the 2FA plugin does not enforce any 2FA at all. As a precondition for the successful exploitation of this vulnerability an attacker requires valid credentials of a victim user account. For example, through a password leak or phishing.
Proof of concept
1) Broken Access Control allows 2FA bypass (CVE-2026-12225)
In order to exploit this issue, a maliciously crafted user agent, which contains the string "AtlassianMobileApp" or "JIRA" needs to be set.
Please note that all following PoC requests must contain this string within the user agent of the HTTP request. Furthermore, in the PoC it is assumed that the attacker has access to the credentials of an administrative account. However, please note that bypassing the 2FA requirement is possible for accounts of any role.
a) The attacker logs into the application with the username and password of a victim. Due to the specific user agent, the 2FA page is not displayed to the user:
Figure 1: Initial login
b) The attacker can view the 2FA secret of their current user by accessing the following URL:
http:// localhost:8090/plugins/servlet/twofactor/userprofile
Figure 2: Secure login profile
The plaintext secret on the user page alone would allow bypassing any further 2FA requirements.
c) The maliciously crafted user agent also allows the attacker to access administrative pages and the Confluence WebSudo page (WebSudo starts a secure administration session and is required for many administrative actions).
Figure 3: Access configuration from dashboard
Figure 4: Websudo
d) At this point, the attacker can disable the 2FA plugin through the management API. This can be done through the UI, as seen in the screenshots down below, or by calling the following REST endpoint directly:
/rest/plugins/1.0/de.syracom.confluence.plugins.securelogin-key
Figure 5: Confluence app management
The successful exploit can be confirmed through the now disabled 2FA plugin.
Figure 6: App is disabled
The corresponding HTTP request to disable the plugin with the maliciously crafted user agent looks as follows:
Figure 7: Disable request
Vulnerable / tested versions
The following version has been tested which was the latest version available at the time of the test:
- 3.4.0.1
According to the vendor, the following versions are affected:
- Secure Login (2FA) - Jira = 3.4.0.x
- Secure Login (2FA) - Confluence = 3.4.0.x
- Secure Login (2FA) - Bitbucket = 3.4.0.0