CVE-2026-12225 syracom Secure Login (2FA) for Confluence allows 2FA bypass via spoofed User-Agent

🗓️ 16 Jun 2026 11:20:37Reported by SEC-VLabType

CVE-2026-12225: syracom Secure Login 2FA bypass via crafted User-Agent, enabling access without 2FA.

Reporter	Title	Published	Views	Family All 6
Circl	CVE-2026-12225	16 Jun 202613:32	–	circl
CVE	CVE-2026-12225	16 Jun 202611:20	–	cve
EUVD	EUVD-2026-37066	16 Jun 202611:20	–	euvd
NVD	CVE-2026-12225	16 Jun 202612:16	–	nvd
Positive Technologies	PT-2026-49655	16 Jun 202600:00	–	ptsecurity
Vulnrichment	CVE-2026-12225 syracom Secure Login (2FA) for Confluence allows 2FA bypass via spoofed User-Agent	16 Jun 202611:20	–	vulnrichment

[
  {
    "vendor": "syracom AG",
    "product": "Secure Login (2FA) for Jira",
    "versions": [
      {
        "status": "affected",
        "version": "3.4.0.0",
        "lessThan": "3.5.0.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "syracom AG",
    "product": "Secure Login (2FA) for Confluence",
    "versions": [
      {
        "status": "affected",
        "version": "3.4.0.0",
        "lessThan": "3.5.0.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "syracom AG",
    "product": "Secure Login (2FA) for Bitbucket",
    "versions": [
      {
        "status": "affected",
        "version": "3.4.0.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
syracom-bee	www.syracom-bee.atlassian.net/wiki/spaces/SL/pages/4193255427/2026-05-11+-+Secure+Login+security+advisory+-+Broken+Access+Control
syracom-bee	www.syracom-bee.atlassian.net/wiki/spaces/SL/pages/4230217729/Mobile+app+login+does+not+work+with+Secure+Login
r	www.r.sec-consult.com/syracom
marketplace	www.marketplace.atlassian.com/apps/1214491/secure-login-2fa-for-confluence

16 Jun 2026 11:20Current

CVSS 48.7

CWE-288