CVE-2026-27826

MCP Atlassian is a Model Context Protocol (MCP) server designed for integration with Atlassian products such as Confluence and Jira. Versions prior to 0.17.0 contain a vulnerability (CVE-2026-27826, CWE-918) that allows an unauthenticated attacker to force the server process to make outbound HTTP requests to arbitrary attacker-controlled URLs. This server-side request forgery (SSRF) issue arises in the HTTP middleware and dependency injection layer, rather than in MCP tool handlers, rendering it undetectable by tool-level code analysis. The vulnerability has a CVSS v3.1 score of 8.2 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).

An unauthenticated attacker with adjacent network access to the mcp-atlassian HTTP endpoint can exploit this by supplying two custom HTTP headers without an Authorization header. Successful exploitation enables the attacker to conduct internal network reconnaissance from the server's perspective. In cloud deployments, it facilitates theft of IAM role credentials by targeting the instance metadata endpoint at 169.254.169.254. Across any HTTP deployment, it allows injection of attacker-controlled content into LLM tool results.

The GitHub security advisory (GHSA-7r34-79r5-rcc9) and fixing commit (5cd697dfce9116ef330b8dc7a91291640e0528d9) confirm that upgrading to version 0.17.0 resolves the issue.

This vulnerability is particularly relevant to AI/ML deployments, as MCP servers bridge LLMs with enterprise tools, potentially exposing LLM integrations to SSRF-based content manipulation or credential theft. No real-world exploitation has been reported.