(Note that the notification email for this blog post would have stale contents – it is in fact only one vulnerability, and it has not been categorized as severe.)
We have fixed the following vulnerability in the S/Notify app for Confluence. It has been reported by a security researcher, and we have no reports or other indication of any of this vulnerability being actively exploited.
The vulnerability was introduced in S/Notify for Confluence 4.2.0, while earlier versions are not vulnerable. S/Notify for Jira and S/Notify for Bitbucket are not affected either.
You may only be affected if you use PGP and allow users to upload their own keys.
Please refer to to our documentation for full details about the found vulnerability, which installations are affected, and how to temporarily mitigate it:
SA-2026-06-01
An update that fixes the vulnerability is available
With this information, we strive to provide you with optimum transparency. Please reach out to us if you have further questions.
