cbcvebase.
CVE-2026-27826
published 2026-03-10

CVE-2026-27826: MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, an unauthenticated attacker who…

PriorityP268high8.2CVSS 3.1
AVAACLPRNUINSCCHILAN
EXPLOIT
EPSS
13.59%
96.0th percentile
MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an `Authorization` header. No authentication is required. The vulnerability exists in the HTTP middleware and dependency injection layer — not in any MCP tool handler - making it invisible to tool-level code analysis. In cloud deployments, this could enable theft of IAM role credentials via the instance metadata endpoint (`169[.]254[.]169[.]254`). In any HTTP deployment it enables internal network reconnaissance and injection of attacker-controlled content into LLM tool results. Version 0.17.0 fixes the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
soopersetmcp-atlassian< 0.17.00.17.0
soopersetmcp-atlassian>= 0 < 0.17.00.17.0
soopersetmcp_atlassian< 0.17.00.17.0

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://169.254.169.254
path/mcp
otherX-Atlassian-Jira-Url
otherX-Atlassian-Jira-Personal-Token
otherMcp-Session-Id
command{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"jira_get_issue","arguments":{"issue_key":"TEST-1"}}}
  • Detect SSRF exploitation attempts by monitoring for inbound HTTP requests to mcp-atlassian's /mcp endpoint that include both X-Atlassian-Jira-Url and X-Atlassian-Jira-Personal-Token headers but lack an Authorization header.
  • Alert on outbound HTTP requests from the mcp-atlassian server process to 169.254.169.254 (AWS/cloud instance metadata endpoint), which indicates active SSRF exploitation for IAM credential theft.
  • The vulnerability resides in the HTTP middleware/dependency injection layer, not in MCP tool handlers — tool-level logging or tracing will NOT surface this attack; monitor at the HTTP ingress layer instead.
  • Use the Nuclei PoC template logic as a detection signature: flag POST /mcp requests with Content-Type: application/json, a Mcp-Session-Id header, X-Atlassian-Jira-Url pointing to an external/unexpected host, and no Authorization header.
  • ·The vulnerability is fixed in mcp-atlassian version 0.17.0; deployments on earlier versions are fully exposed with no authentication bypass required.
  • ·The attack surface only exists when mcp-atlassian is run in HTTP (server) mode; stdio/local transport modes are not affected by this network-reachable SSRF vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.