Microsoft published an advisory on 12 May 2026 for CVE-2026-41103, a critical flaw in its Single Sign-On plugin for Atlassian Jira and Confluence. The problem lies in how the plugin verifies the SAML responses it receives during login. That verification is implemented incorrectly, which lets someone without valid credentials sign in as if they were another person.
The NVD classifies it as CWE-303 (incorrect implementation of an authentication algorithm) and assigns a CVSS 3.1 base score of 9.1, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. In plain terms: the attack runs over the network, needs no prior authentication, requires no interaction from the victim, and compromises both confidentiality and integrity.
What actually breaks
SAML is the protocol these plugins use to delegate login to an external identity provider. The normal flow is simple: the provider signs an assertion that says “this user is who they claim to be,” and the application checks that signature before granting access. When that check is done wrong, an attacker can craft a manipulated response message during login and force the plugin to accept it as valid.
The result is privilege elevation over the network. The attacker forges a legitimate user’s identity, potentially one with administrative rights, and from there reads or modifies data in Jira and Confluence. No stolen password and no hijacked session are needed.
Who’s affected
The bug sits in Microsoft’s plugin, not in Jira or Confluence themselves. The vulnerable versions are:
- Microsoft Confluence SAML SSO Plugin: before 7.4.0.
- Microsoft JIRA SAML SSO Plugin: before 1.3.3.
Any Jira or Confluence install that relies on this plugin for SSO is exposed until it’s updated. In corporate setups where Jira and Confluence hold internal documentation, tickets, source code and credentials, an attacker logging in as an administrator is a serious problem.
Mitigation
The fix is to update the plugin to a version that isn’t affected: 7.4.0 or later on Confluence, 1.3.3 or later on Jira. There’s no full workaround beyond the patch, so the advice is to update promptly. If your organisation uses Microsoft SSO on top of Atlassian, check the installed plugin version and plan the update rather than waiting for the next maintenance window.
After patching, review access logs for anomalous logins before the update, especially accounts with elevated privileges. Microsoft hasn’t confirmed active exploitation in its advisory, but with a network-based authentication bypass scoring 9.1, this isn’t one to leave sitting.
Authentication bypasses like this have been common lately. We covered similar cases in the SmarterMail authentication bypass (CVE-2026-23760) and the Cisco Catalyst SD-WAN zero-day (CVE-2026-20127), both following the same pattern: a broken identity check that’s worth every password in the system.
Source
- NVD - CVE-2026-41103: https://nvd.nist.gov/vuln/detail/CVE-2026-41103