API Token AuthenticationAPI Token Authentication
Try For Free

2026-02-03 - Stored HTML/CSS Injection allowing for XSRF token Extraction in API Token Authentication for Jira, Confluence, and Bitbucket

Summary

Stored HTML/CSS Injection allowing for XSRF token Extraction in the API Token Authentication app

Advisory Release Date

2/3/2026

Products

API Token Authentication for Jira
API Token Authentication for Confluence
API Token Authentication for Bitbucket

Affected Versions

2.0.0 - 2.7.7

Fixed Version

2.7.8

CVSS Score

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C => 7.3 base High / 6.6 temporal Medium

Summary

This advisory discloses a high-severity security vulnerability affecting versions 2.0.0-2.7.7 of the API Token Authentication for Jira, Confluence, and Bitbucket.

Please upgrade your app installation to version 2.7.8 or later to fix this vulnerability.

Details

The API Token Authentication app does not properly sanitize certain user-controlled input when rendering the token details in the app UI. Under specific circumstances, this could allow an attacker to inject arbitrary styles, altering content or exfiltrating it, including the XSRF token that protects the victim against XSRF attacks, as well as injecting elements that would, when clicked by the victim, constitute a CSRF attack.

For a successful HTML/CSS injection attack, the following requirements must be met:

  • The attacker must have the ability to create API tokens and prepare one for the exploit

  • The victim must be an API Token Authentication app user with the “Create & Delete Token On Behalf” permission

    • By default, on all products except Bitbucket, all administrators have this permission

  • The victim must click the Details button of the affected token in the “Manage Tokens of all users” tab of the app

For the full potential of the attack to be realized

  • The attacker must then successfully execute an XSRF attack on the victim

What You Need to Do

Upgrade the API Token Authentication app to version 2.7.8 or later.

As a mitigating workaround, you could configure a rule in your load balancer or reverse proxy to extend Atlassian’s built-in CSP header to include only the style-src directive ('self'). However, this may break the instance or other apps and will only prevent content extraction, such as the XSRF token, while still allowing content to be defaced and HTML to be injected. Upgrading is strongly recommended.

Support

If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.