We had a user create a rule that added a label to all issues upon creation using himself as the actor. The JQL was left blank. After enabling the rule, it all seemed to be working, but then we noticed that a group of other projects were aso having the label added to their tickets. The user had no permissions on these projects, no browse, modify or edit permissions whatsoever. The JIRA admin permission helper indicated that he didn't have permissions to modify these tickets. We deleted and re-created the rule with JQL to specify the project which seems to have resolved the problem. We have not seen any cross-project issues before, so this may be a fluke, but in case it is a bug, we wanted to let you know. I don't have a way to replicate it, so if this just gets closed as informational, that is fine with me.