CVE-2025-22172 is an improper authorization vulnerability identified in Atlassian Jira Align, a tool widely used for enterprise agile planning and portfolio management. The flaw allows users with low-level privileges to access endpoints that should be restricted, leading to unauthorized disclosure of sensitive information such as external reports. These reports may contain business-critical data, project statuses, or other confidential information. The vulnerability affects Jira Align versions 11.14.0 and later, including 11.14.1, 11.15.0, 11.15.1, and 11.16.0. The CVSS 4.0 base score is 5.3, reflecting a medium severity level due to the network attack vector, low attack complexity, no requirement for user interaction, and the fact that only low privileges are needed to exploit it. The impact is limited to confidentiality, with no direct effect on integrity or availability. No authentication bypass or privilege escalation occurs, but the unauthorized access to sensitive data can lead to information leakage. Atlassian has not yet published patches or known exploits in the wild, but organizations should proactively assess their exposure. The vulnerability highlights the need for strict access control enforcement and endpoint security within Jira Align deployments.

For European organizations, the unauthorized disclosure of sensitive information through Jira Align could lead to competitive disadvantage, regulatory compliance issues (especially under GDPR due to potential exposure of personal or business data), and erosion of trust with clients and partners. Organizations managing large-scale projects, government contracts, or critical infrastructure using Jira Align are particularly vulnerable to data leaks that could reveal strategic plans or confidential reports. While the vulnerability does not allow modification or disruption of services, the confidentiality breach alone can have significant reputational and operational consequences. The medium severity score indicates a moderate risk, but the ease of exploitation by low-privilege users increases the likelihood of internal threat actors or compromised accounts abusing this flaw. European companies with extensive Atlassian deployments should prioritize risk assessments and mitigation to prevent potential data exposure.

1. Monitor Atlassian’s official channels for patches addressing CVE-2025-22172 and apply them promptly once released. 2. Conduct an immediate audit of user roles and permissions within Jira Align to ensure that low-privilege users do not have unnecessary access to sensitive endpoints or reports. 3. Implement strict role-based access controls (RBAC) and review custom permission schemes to close any gaps that could be exploited. 4. Use network segmentation and firewall rules to restrict access to Jira Align endpoints, limiting exposure to trusted users and networks only. 5. Enable detailed logging and monitoring of access to sensitive reports and endpoints to detect unusual access patterns or potential exploitation attempts. 6. Educate internal users about the risk of unauthorized data access and encourage reporting of suspicious activity. 7. Consider temporary compensating controls such as disabling external report access for low-privilege users until a patch is applied. 8. Evaluate integration points with other systems to ensure that leaked data cannot be further exploited or aggregated.