I’ve been looking into JQL which seems to be part of the Advanced Search functionality in Jira. From what I can tell, it works like SQL but for searching through Jira data.
What worries me is that I can create URLs with JQL queries embedded in them. For instance, I made a link that searches for unresolved tickets in a specific project and sorts them by priority. When I tested this URL without being logged into the system, it still processed the query and returned some kind of response.
I tried it on a demo Jira instance and got back a message saying the project didn’t exist, plus a note about logging in to see more results. This makes me think the system is processing these queries even for anonymous users.
My main concerns are:
Could this be a security vulnerability?
Is there a risk of accidentally exposing sensitive project information?
Can JQL queries be manipulated for injection attacks similar to SQL injection?
Is it possible to restrict this functionality to logged-in users only?
Should I consider disabling JQL access for anonymous visitors?
jql is not an sql injection risk. it’s more about search syntax than database commands. jira’s permission system prevents anonymous users from accessing restricted content. that “processing” message is just validation—nothings being exposed. no need to worry about it!
I’ve managed Jira across different orgs, and what you’re seeing is totally normal - it’s actually a security feature. Those URLs with JQL queries only show data users have permission to see. Anonymous users hitting those links won’t see sensitive stuff unless your project permissions are messed up. Those ‘project doesn’t exist’ or login messages? That’s just Jira handling the request properly. It processes the query but applies your permission model before showing any real data. You can definitely restrict this to logged-in users through global permissions. Check the ‘Use’ permission under Applications Access - remove it for anonymous users and they can’t run searches at all. Just heads up, this might break public dashboards if you’re using any. The real security issue isn’t JQL itself - it’s making sure your project visibility settings match what you actually want. I’d do a quick audit of which projects allow anonymous browsing.
I’ve run into this before in our enterprise setup. JQL works within Jira’s permission system - it doesn’t bypass anything. When anonymous users hit those URLs, they’re not seeing data, just basic validation responses about whether projects exist. You can lock it down more though. Go to Administration > System > Global permissions and restrict ‘Browse users and groups’ properly. Double-check your project permissions too - make sure anonymous access is set up how you want. For injection attacks - JQL gets parsed and sanitized by Jira’s query engine, so it’s not like raw SQL. The real risk is usually info leaking through loose project settings, not JQL itself. I’d audit what anonymous users can actually see in your instance.