{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27826", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:32:39.799Z", "datePublished": "2026-03-10T18:46:12.069Z", "dateUpdated": "2026-03-10T19:15:10.505Z"}, "containers": {"cna": {"title": "MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-7r34-79r5-rcc9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-7r34-79r5-rcc9"}, {"name": "https://github.com/sooperset/mcp-atlassian/commit/5cd697dfce9116ef330b8dc7a91291640e0528d9", "tags": ["x_refsource_MISC"], "url": "https://github.com/sooperset/mcp-atlassian/commit/5cd697dfce9116ef330b8dc7a91291640e0528d9"}], "affected": [{"vendor": "sooperset", "product": "mcp-atlassian", "versions": [{"version": "< 0.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T18:46:12.069Z"}, "descriptions": [{"lang": "en", "value": "MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an `Authorization` header. No authentication is required. The vulnerability exists in the HTTP middleware and dependency injection layer \u2014 not in any MCP tool handler - making it invisible to tool-level code analysis. In cloud deployments, this could enable theft of IAM role credentials via the instance metadata endpoint (`169[.]254[.]169[.]254`). In any HTTP deployment it enables internal network reconnaissance and injection of attacker-controlled content into LLM tool results. Version 0.17.0 fixes the issue."}], "source": {"advisory": "GHSA-7r34-79r5-rcc9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T19:15:04.483548Z", "id": "CVE-2026-27826", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:15:10.505Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27826", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T19:15:04.483548Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:15:08.025Z"}}], "cna": {"title": "MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers", "source": {"advisory": "GHSA-7r34-79r5-rcc9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "sooperset", "product": "mcp-atlassian", "versions": [{"status": "affected", "version": "< 0.17.0"}]}], "references": [{"url": "https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-7r34-79r5-rcc9", "name": "https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-7r34-79r5-rcc9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sooperset/mcp-atlassian/commit/5cd697dfce9116ef330b8dc7a91291640e0528d9", "name": "https://github.com/sooperset/mcp-atlassian/commit/5cd697dfce9116ef330b8dc7a91291640e0528d9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an `Authorization` header. No authentication is required. The vulnerability exists in the HTTP middleware and dependency injection layer \u2014 not in any MCP tool handler - making it invisible to tool-level code analysis. In cloud deployments, this could enable theft of IAM role credentials via the instance metadata endpoint (`169[.]254[.]169[.]254`). In any HTTP deployment it enables internal network reconnaissance and injection of attacker-controlled content into LLM tool results. Version 0.17.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T18:46:12.069Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27826", "state": "PUBLISHED", "dateUpdated": "2026-03-10T19:15:10.505Z", "dateReserved": "2026-02-24T02:32:39.799Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T18:46:12.069Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sooperset:mcp_atlassian:*:*:*:*:*:*:*:*", "matchCriteriaId": "33DDEA27-F2D6-4CF3-9EB4-C03CC01B631A", "versionEndExcluding": "0.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an `Authorization` header. No authentication is required. The vulnerability exists in the HTTP middleware and dependency injection layer \u2014 not in any MCP tool handler - making it invisible to tool-level code analysis. In cloud deployments, this could enable theft of IAM role credentials via the instance metadata endpoint (`169[.]254[.]169[.]254`). In any HTTP deployment it enables internal network reconnaissance and injection of attacker-controlled content into LLM tool results. Version 0.17.0 fixes the issue."}, {"lang": "es", "value": "MCP Atlassian es un servidor de Model Context Protocol (MCP) para productos de Atlassian (Confluence y Jira). Antes de la versi\u00f3n 0.17.0, un atacante no autenticado que puede alcanzar el endpoint HTTP mcp-atlassian puede forzar al proceso del servidor a realizar solicitudes HTTP salientes a una URL arbitraria controlada por el atacante al proporcionar dos encabezados HTTP personalizados sin un encabezado 'Authorization'. No se requiere autenticaci\u00f3n. La vulnerabilidad existe en el middleware HTTP y la capa de inyecci\u00f3n de dependencias \u2014 no en ning\u00fan gestor de herramientas MCP - haci\u00e9ndola invisible para el an\u00e1lisis de c\u00f3digo a nivel de herramienta. En despliegues en la nube, esto podr\u00eda permitir el robo de credenciales de rol de IAM a trav\u00e9s del endpoint de metadatos de instancia ('169[.]254[.]169[.]254'). En cualquier despliegue HTTP permite el reconocimiento de red interno y la inyecci\u00f3n de contenido controlado por el atacante en los resultados de las herramientas LLM. La versi\u00f3n 0.17.0 soluciona el problema."}], "id": "CVE-2026-27826", "lastModified": "2026-04-13T15:01:48.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-10T19:17:20.670", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sooperset/mcp-atlassian/commit/5cd697dfce9116ef330b8dc7a91291640e0528d9"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-7r34-79r5-rcc9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.17.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mcp-atlassian", "source": "cna", "vendor": "sooperset"}, "product": "mcp-atlassian", "vendor": "sooperset"}], "analysis": {"en": {"generated_at": "2026-04-16T03:35:28.376745+00:00", "value": {"mitigation_remediation": ["Upgrade to MCP Atlassian version 0.17.0 or later to apply the fix. ", "Restrict inbound traffic to the mcp\u2011atlassian endpoint using network controls or firewall rules so that only trusted hosts can connect. ", "At the network or proxy layer, block or strip X-Atlassian-Jira-Url and X-Atlassian-Confluence-Url headers to prevent the server from making unintended outbound requests."], "summary": {"action": "Immediate Patch", "impact": "Server Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The affected product is the MCP Atlassian server, part of the sooperset project. Any version prior to 0.17.0 that exposes the mcp-atlassian HTTP endpoint is vulnerable. The server acts as a Model Context Protocol (MCP) endpoint for Atlassian Confluence and Jira services.", "description_and_impact": "The vulnerability in the MCP Atlassian server allows an unauthenticated attacker to trigger outbound HTTP requests to any URL by supplying unvalidated X-Atlassian-Jira-Url or X-Atlassian-Confluence-Url headers. Because no Authorization header is required, the flaw permits remote control of outgoing traffic from the host. The flaw can be used for internal network reconnaissance, to exfiltrate data via the instance metadata service, or to inject attacker\u2011controlled content into LLM tool results. The flaw resides in the HTTP middleware and dependency injection layer, making it invisible to typical tool\u2010level code analysis.", "risk_and_exploitability": "According to the CVSS score of 8.2, this is a high\u2011severity vulnerability. The EPSS score of less than 1% indicates that exploitation is currently rare, and the flaw is not listed in the CISA KEV catalogue. Nonetheless, because the flaw is unauthenticated, an attacker with network access to the server can exploit it immediately. The potential impact includes internal network discovery, credential theft via the instance metadata endpoint, and malicious injection into LLM tool outputs. The risk is elevated in cloud or complex network environments where the server can reach internal services that it should not access."}}}}, "created": "2026-03-11T11:43:47.426039+00:00", "updated": "2026-04-16T03:45:16.013440+00:00", "vendors": ["sooperset", "sooperset$PRODUCT$mcp-atlassian"]}