CVE-2026-27826
Received Received - Intake
Server-Side Request Forgery in MCP Atlassian Enables Credential Theft

Publication date: 2026-03-10

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an `Authorization` header. No authentication is required. The vulnerability exists in the HTTP middleware and dependency injection layer β€” not in any MCP tool handler - making it invisible to tool-level code analysis. In cloud deployments, this could enable theft of IAM role credentials via the instance metadata endpoint (`169[.]254[.]169[.]254`). In any HTTP deployment it enables internal network reconnaissance and injection of attacker-controlled content into LLM tool results. Version 0.17.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27826
EUVD
EUVD-2026-10788
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sooperset mcp_atlassian to 0.17.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects MCP Atlassian, a Model Context Protocol server used for Atlassian products like Confluence and Jira. Before version 0.17.0, an unauthenticated attacker who can access the mcp-atlassian HTTP endpoint can force the server to make outbound HTTP requests to any attacker-controlled URL by supplying two custom HTTP headers without needing an Authorization header.

The issue lies in the HTTP middleware and dependency injection layer, not in the MCP tool handlers, making it difficult to detect through tool-level code analysis.

Impact Analysis

This vulnerability can have serious impacts depending on the deployment environment.

  • In cloud deployments, it could allow attackers to steal IAM role credentials by accessing the instance metadata endpoint.
  • In any HTTP deployment, it enables attackers to perform internal network reconnaissance and inject attacker-controlled content into large language model (LLM) tool results.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

Upgrade the MCP Atlassian server to version 0.17.0 or later, as this version fixes the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27826. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart