CVE-2025-22172 is an authorization vulnerability identified in Atlassian Jira Align, a tool widely used for enterprise agile planning and portfolio management. The flaw arises from improper authorization checks that allow users with low-level privileges to access endpoints that should be restricted. Specifically, these users can retrieve sensitive information, including external reports, without having the necessary permissions. The vulnerability affects Jira Align versions 11.14.0 and later, including 11.14.1, 11.15.0, 11.15.1, and 11.16.0. The CVSS 4.0 vector indicates that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), does not require authentication beyond low privileges (PR:L), and no user interaction (UI:N). The impact is limited to confidentiality (VC:L) with no effect on integrity or availability. No known exploits have been reported to date, but the vulnerability could be leveraged by malicious insiders or compromised low-privilege accounts to gain unauthorized access to sensitive project data. The root cause is a failure to enforce proper authorization checks (CWE-285) on certain API endpoints or UI components. This could lead to information disclosure that might aid further attacks or cause compliance issues. Atlassian has not yet released patches, so organizations must monitor for updates and apply them promptly once available.

For European organizations, the primary impact is unauthorized disclosure of sensitive project and portfolio management information, which could include strategic plans, financial data, or external reports. This exposure can undermine confidentiality, potentially leading to competitive disadvantage, regulatory non-compliance (e.g., GDPR if personal data is involved), and reputational damage. While the vulnerability does not affect system integrity or availability, the leaked information could be used by threat actors to facilitate social engineering, spear-phishing, or lateral movement within the network. Organizations in sectors such as finance, government, and critical infrastructure that rely on Jira Align for managing sensitive projects are at higher risk. The medium severity score reflects the limited scope of data exposure and the requirement for an attacker to have at least low-level access, which somewhat reduces the risk but does not eliminate it. Given the widespread use of Atlassian products in Europe, the vulnerability could have broad implications if exploited.

1. Monitor Atlassian’s official channels for the release of security patches addressing CVE-2025-22172 and apply them immediately upon availability. 2. Until patches are released, restrict access to Jira Align to trusted users only and review user roles to ensure minimal necessary privileges are assigned. 3. Implement strict network segmentation and access controls to limit exposure of Jira Align instances to internal networks or VPNs only. 4. Enable detailed logging and monitoring of access to sensitive endpoints and reports within Jira Align to detect anomalous or unauthorized access attempts. 5. Conduct regular audits of user permissions and endpoint access to identify and remediate any privilege escalations or misconfigurations. 6. Educate users about the importance of safeguarding their credentials to prevent compromise of low-privilege accounts. 7. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block suspicious API calls targeting authorization bypass attempts. 8. Review and update incident response plans to include scenarios involving unauthorized data disclosure from project management tools.