CVE-2025-22174 is an improper authorization vulnerability identified in Atlassian Jira Align, a widely used enterprise agile planning tool. The flaw stems from insufficient access control checks on certain API endpoints, allowing users with low privileges to access data typically restricted to higher privilege roles. Specifically, low-level users can view portfolio rooms, which may contain sensitive project and organizational information. The vulnerability affects Jira Align versions 11.14.0 and above, including 11.14.1, 11.15.0, 11.15.1, and 11.16.0. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network exploitability without authentication or user interaction, but limited confidentiality impact. The weakness corresponds to CWE-285 (Improper Authorization). No patches have been released yet, and no exploits are known in the wild. The issue could allow unauthorized data exposure, potentially aiding attackers in reconnaissance or lateral movement within an organization. Given Jira Align’s role in managing strategic projects and portfolios, unauthorized access could reveal sensitive business information. The vulnerability does not affect system integrity or availability directly but undermines trust in access controls. Organizations should prioritize monitoring and restrict user privileges as a temporary mitigation.

For European organizations, the impact primarily involves unauthorized disclosure of sensitive project and portfolio information managed within Jira Align. This could lead to exposure of strategic business plans, resource allocations, and other confidential data, potentially benefiting competitors or threat actors conducting espionage. While the vulnerability does not allow modification or deletion of data, the leakage of sensitive information can undermine organizational confidentiality and decision-making. Industries such as finance, manufacturing, and government entities using Jira Align for agile planning may face increased risk of information leakage. The medium severity score reflects that while the impact is limited to confidentiality, the ease of exploitation (network accessible, no user interaction) increases risk. Organizations with extensive use of Jira Align across multiple teams may experience broader exposure. Additionally, unauthorized access could facilitate further attacks by providing attackers with insight into organizational structure and project priorities.

1. Immediately review and tighten user access controls within Jira Align, ensuring that low-privilege users have no access to sensitive portfolio rooms or restricted endpoints. 2. Implement network segmentation and firewall rules to limit access to Jira Align interfaces only to trusted internal networks and users. 3. Enable detailed logging and monitoring of access to portfolio rooms and other sensitive endpoints to detect unusual access patterns. 4. Coordinate with Atlassian to track the release of official patches addressing CVE-2025-22174 and apply them promptly once available. 5. Conduct internal audits of user roles and permissions regularly to prevent privilege creep. 6. Consider deploying web application firewalls (WAFs) with custom rules to block unauthorized API calls targeting portfolio room endpoints. 7. Educate administrators and users about the risk of unauthorized data exposure and encourage reporting of suspicious activity. 8. If feasible, temporarily restrict access to portfolio rooms to only essential personnel until patches are applied. 9. Review integration points and APIs for similar authorization weaknesses to prevent lateral exploitation.