2025-12-08 Broken Access Control in monday.com for Jira Cloud

Summary

Broken access control in https://marketplace.atlassian.com/apps/1224678/monday-com-for-jira-collaboration-sync-issues-items allowed low-privileged Jira Service Management (JSM) customer accounts to hijack the OAuth connection between Jira and http://monday.com and gain unauthorized access to Jira issues.

The issue has been fully fixed on the vendor side by correcting the broken access control. No action is required from Jira Cloud administrators, but we recommend you double-check the connected monday Account.

Advisory Release Date

2025-12-08

Product

• https://marketplace.atlassian.com/apps/1224678/monday-com-for-jira-collaboration-sync-issues-items (Jira Cloud app)

Affected Versions

• All https://marketplace.atlassian.com/apps/1224678/monday-com-for-jira-collaboration-sync-issues-items installations between November 2022 and around noon CET on 12/8/2025 when the fix was deployed.

  • However, note that if an attack happened (which we have no evidence of at the moment), the attacker’s access would still persist until you have removed the connection.

Fixed Versions

• All current https://marketplace.atlassian.com/apps/1224678/monday-com-for-jira-collaboration-sync-issues-items installations include the fix.

• The vulnerability was remediated through backend changes that correct the broken access control and does not require any manual upgrade or configuration change by Jira Cloud administrators.

Severity

resolution rates the severity level of this vulnerability as High, according to the CVSS v3.1 specification.

Base Score (vendor assessment):

• Base Score: 8.3 (High)

• Vector:
  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Explanation (short):

• Network-based attack (AV:N)

• Low attack complexity (AC:L)

• Low privileges required (PR:L) – a JSM customer account

• No user interaction required (UI:N)

• Same security scope (S:U) – abuse is confined to the Jira instance and its integration

• High impact on confidentiality and integrity (C:H/I:H), limited availability impact (A:L)

Temporal Score (post-fix, vendor assessment):

• Temporal Score: 7.1 (High)

• Vector:
  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C

Where:

• E:U (Unproven) – there is no evidence of exploitation in customer environments and no public exploit code.

• RL:O (Official Fix) – an official fix has been deployed.

• RC:C (Confirmed) – the issue is confirmed by internal analysis and researcher PoC.

This is an independent assessment; customers should evaluate its applicability to their own environments.

Summary of Vulnerability

The vulnerability was caused by broken access control on an OAuth-related endpoint used by the http://monday.com for Jira Cloud integration:

• A JSM customer (non-admin) with knowledge of the flow was able to access an OAuth initialization endpoint on the Jira side that was intended only for Jira administrators.

• The attacker would have been able to connect their own monday.com account to a victim’s Jira.

• As a result, the attacker would have been able to access all spaces from Jira on their monday.com account which were previously configured by the Jira admin to be accessible from monday.com when setting up the the original connection.

  • By default, these are all Jira spaces that are not restricted, i.e. which are available to regular Jira users.

The design assumed that only Jira administrators would ever reach these endpoints.

Signs of exploitation

• Any successful use of this flow would visibly disrupt the original integration for the legitimate customer, as their existing Jira–monday.com connection would be replaced by the attacker’s.

  • Linking Jira work items and monday.com items and accessing existing links would no longer work.

• The admin page of the app would show that a different monday.com account is linked.

Impact

• Confidentiality:

  • High. An attacker could gain read access to a broad set of Jira issues via the hijacked integration, potentially including sensitive business data and internal discussions.

• Integrity:

  • High. An attacker could modify issue fields and add comments via the integration, potentially corrupting data and workflows.

• Availability:

  • Limited. There is no direct crash or denial-of-service effect, but tampering with issues and workflows may indirectly disrupt operations.

• User-visible effect of exploitation:

  • The original integration configuration would stop working as expected for the legitimate customer and instead appear to be linked incorrectly or behave unexpectedly.

  • In practice, this makes the vulnerability noisy: a successful attack is likely to be noticed by customers due to integration malfunction.

Evidence of Exploitation

• The vulnerability was reported via our bug bounty program with a working proof-of-concept.

• We have no evidence of active exploitation in customer environments.

• Backend logs and operational monitoring have not indicated any patterns consistent with real-world abuse of this vulnerability.

We will continue to monitor for any suspicious activity and update this advisory if new information becomes available.

Fix

We have fixed the vulnerability by correcting the broken access control in the https://marketplace.atlassian.com/apps/1224678/monday-com-for-jira-collaboration-sync-issues-items integration.

These changes directly address the broken access control that allowed low-privileged users to perform administrative configuration actions. The fix has been rolled out centrally to all https://marketplace.atlassian.com/apps/1224678/monday-com-for-jira-collaboration-sync-issues-items environments.

Additionally, we are in the process of adding more defense in depth measures.

What You Need to Do

For Jira Cloud customers using https://marketplace.atlassian.com/apps/1224678/monday-com-for-jira-collaboration-sync-issues-items :

• To get the fix, no action is required.

  • The fix has been implemented and rolled out centrally.

  • There is no app upgrade or configuration change needed on your side.

• To check if there was no exploitation of the vulnerability, please double-check in the app’s admin configuration page (see Step 1 on Getting Started ) that the connected monday.com account is correct.

As general hardening guidance (not specific to this vulnerability), administrators may still wish to:

• Ensure the principle of least privilege is maintained.

  • Periodically review Jira space permissions

  • In the app’s configuration, review the spaces the app shows http://monday.com users.

• Review whether public JSM customer signup (“Allow customers to create accounts”) is necessary for their use case.

Support

If you have questions or concerns regarding this advisory, or if you would like assistance reviewing your configuration, please raise a support request via one of these channels: https://www.resolution.de/support/