2026 01 05 - P3 Security issue
A security vulnerability was recently identified and fixed in Elements Connect. Here are the details about the issue, its impact and the analysis and actions taken.
Nature of the issue
A Jira administrator can recover the credentials used in a REST API datasource by changing the Path field to redirect call to an unintended external endpoint. This vulnerability has been rated as medium as per the scale published on the Common Vulnerability Scoring System (CVSS).
This vulnerability was identified through an annual penetration test carried out by an independent external security provider in December 2025.
Impact
Practical impact of this vulnerability is limited, as it can only be exploited by a Jira administrator that would want to compromise another Jira administrator of the same Jira site.
Based on the logs and monitoring data available to us, we have not identified evidence of exploitation.
Analysis and actions taken
After reproducing the issue on our side, an emergency unit was activated to collect all necessary information and investigation findings, perform an impact analysis, and develop a fix for the issue and deploy it the soonest possible.
To fix the issue, we added validation to ensure that outbound REST API requests cannot include user-controlled values that override the destination host, preventing authenticated requests from being sent to unintended endpoints.
The fixed version was released following the usual procedure on .
In addition to automatic integration tests, we conducted thorough non-regression tests manually to confirm the resolution of the issue.
Conclusion
We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for our customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com referencing "ECC-4284".