CVE-2026-42864
Received Received - Intake
Server-Side Request Forgery in FireFighter Incident Management

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
FireFighter is an incident management application. Prior to 0.0.54, the POST /api/v2/firefighter/raid/jira_bot endpoint (CreateJiraBotView) is reachable without authentication (permission_classes = [permissions.AllowAny]). Its attachments payload is fetched server-side via httpx.get() with no URL validation, then uploaded as an attachment on the Jira ticket that gets created. An unauthenticated caller able to reach the ingress can coerce the pod into fetching arbitrary URLs and exfiltrate the response as a Jira attachment. On EC2/EKS deployments that do not enforce IMDSv2, this allows theft of the temporary AWS credentials attached to the pod's IAM role. The docstring on the view claims a Bearer token is required, but the code does not enforce it. This vulnerability is fixed in 0.0.54.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-05-11
AI Q&A
2026-05-11
EPSS Evaluated
N/A
NVD
CVE-2026-42864
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
manomanotech firefighter-incident to 0.0.54 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-42864 is a critical vulnerability in the FireFighter incident management application versions prior to 0.0.54. The POST /api/v2/firefighter/raid/jira_bot endpoint is accessible without authentication, allowing an unauthenticated attacker to coerce the server into fetching arbitrary URLs via a Server-Side Request Forgery (SSRF) attack.

The vulnerability exists because the endpoint fetches attachments using httpx.get() without validating the URLs, and although the code claims a Bearer token is required, it does not enforce authentication. This allows attackers to make the server retrieve data from arbitrary locations, including sensitive internal endpoints.

On EC2/EKS deployments that do not enforce IMDSv2, this can lead to theft of temporary AWS IAM credentials by accessing the AWS cloud metadata endpoint (169.254.169.254). The stolen data is then exfiltrated as attachments on Jira tickets created by the attacker.


How can this vulnerability impact me? :

This vulnerability can have severe impacts including unauthorized access to sensitive data and credentials. An attacker can exploit the SSRF to make the server fetch arbitrary URLs, potentially accessing internal services or metadata endpoints.

Specifically, on AWS EC2 or EKS deployments without IMDSv2 enforcement, attackers can steal temporary AWS IAM credentials attached to the pod's role, which can lead to further compromise of cloud resources.

Additionally, the attacker can exfiltrate the fetched data by uploading it as attachments to Jira tickets, potentially leaking sensitive information outside the organization.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the POST /api/v2/firefighter/raid/jira_bot endpoint is accessible without authentication on your FireFighter incident management application versions prior to 0.0.54.

You can attempt to send an unauthenticated POST request to this endpoint and observe if the server fetches arbitrary URLs specified in the attachments payload.

For example, you can use curl to test the endpoint accessibility and behavior:

  • curl -X POST http://<firefighter-server>/api/v2/firefighter/raid/jira_bot -d '{"attachments": ["http://example.com"]}' -H 'Content-Type: application/json' -v

If the server fetches the URL without requiring authentication and attaches the response to a Jira ticket, the vulnerability is present.

Additionally, monitoring network traffic for outgoing requests to unexpected URLs (such as 169.254.169.254, the AWS metadata service) from the FireFighter pod can help detect exploitation attempts.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include:

  • Restrict ingress access to the vulnerable POST /api/v2/firefighter/raid/jira_bot endpoint to trusted users or networks only.
  • Revoke any Jira API tokens that might have been compromised due to this vulnerability.
  • Enforce IMDSv2 on EC2/EKS deployments to prevent theft of temporary AWS credentials via the metadata service.
  • Upgrade the FireFighter application to version 0.0.54 or later, where authentication is enforced and URL validation prevents SSRF.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF) to fetch arbitrary URLs and exfiltrate sensitive data as Jira attachments. On certain deployments, it can lead to theft of temporary AWS IAM credentials, which may expose sensitive information.

Such unauthorized access and potential data exfiltration can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data, as well as measures to prevent unauthorized disclosure.

Therefore, this vulnerability poses a significant risk to compliance with these standards by undermining confidentiality and access controls.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart