VULNERABILITY OVERVIEW
An incorrect implementation of the authentication algorithm in the Microsoft SSO Plugin for Jira & Confluence allows an unauthenticated remote attacker to forge an SSO response during the login process and sign in as an arbitrary existing user without valid Microsoft Entra ID authentication. Successful exploitation grants the attacker full access to the victim's Jira and Confluence data and the ability to perform all actions permitted for that account. Microsoft flags this as 'Exploitation More Likely' — the only CVSS 9+ flaw in May 2026 Patch Tuesday with that rating — making it the most immediately dangerous exploitability-wise among this month's Patch Tuesday disclosures for organizations running self-hosted Atlassian instances with Microsoft Entra integration.
CVSS BREAKDOWN
Microsoft SSO Plugin for Jira & Confluence all versions prior to May 2026 updateCITATIONS
- → Microsoft MSRC: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41103
- → Security Boulevard: https://securityboulevard.com/2026/05/microsofts-may-2026-patch-tuesday-addresses-118-cves-cve-2026-41103/
- → Rapid7 Patch Tuesday Blog: https://www.rapid7.com/blog/post/em-patch-tuesday-may-2026/
- → The Hacker News: https://thehackernews.com/2026/05/microsoft-patches-138-vulnerabilities.html
- → SC World: https://www.scworld.com/news/patch-tuesday-no-zero-days-among-137-microsoft-cves-4-word-rces