/
Security vulnerability notice - 30th January 2026

Security vulnerability notice - 30th January 2026

A proof-of-concept privilege escalation vulnerability that was recently identified in the app Enterprise Mail Handler for Jira Cloud.

Based on the CVSS v3.0 scoring system, this vulnerability has a calculated base score of 7.6 and a current temporal score of 6.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N/E:P/RL:O/RC:C).

It was reported through our public bug bounty campaign on 20th January 2026 and fixed with a release on 29th January 2026. There is no evidence of this being exploited publicly.

Security is a top priority for us, and we are continuously working to improve the security posture of both the app and ourselves. Improvements are being made that allow us to surface data access in the form of low-level auditing and reporting capabilities. Updates on this effort to increase traceability for app users will be coming soon.

If you have any questions for us please raise a support request through our portal, or contact Atlassian via Atlassian Support, using reference AMS-50051.

Sincerely,

Andy Brook

CEO

The Plugin People