CVE-2026-27825

Critical

Published: 10 March 2026

Published

10 March 2026

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0002 5.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27825 is a critical-severity Path Traversal (CWE-22) vulnerability in Mcp-Atlassian Mcp Atlassian. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Cron (T1053.003); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Cron (T1053.003) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of the download_path parameter to enforce directory boundaries and block path traversal attempts.

AC-3 Access Enforcement good match

prevent

AC-3 mandates enforcement of access authorizations that restrict file writes to approved directories, directly countering the lack of boundary enforcement in the MCP tool.

AC-6 Least Privilege partial match

prevent

AC-6 limits server process privileges to the minimum necessary, reducing the impact of arbitrary file writes by preventing access to sensitive paths like /etc/cron.d/.

MITRE ATT&CK Enterprise TechniquesAI

T1053.003 Cron Execution

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Path traversal enables arbitrary file write to server-writable locations (e.g., /etc/cron.d/), directly facilitating cron-based scheduled execution for RCE; exploitation of the vuln with low privileges maps to privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, the `confluence_download_attachment` MCP tool accepts a `download_path` parameter that is written to without any directory boundary enforcement. An attacker who can…

call this tool and supply or access a Confluence attachment with malicious content can write arbitrary content to any path the server process has write access to. Because the attacker controls both the write destination and the written content (via an uploaded Confluence attachment), this constitutes for arbitrary code execution (for example, writing a valid cron entry to `/etc/cron.d/` achieves code execution within one scheduler cycle with no server restart required). Version 0.17.0 fixes the issue.

Deeper analysisAI

CVE-2026-27825 is a path traversal vulnerability (CWE-22, CWE-73) in the MCP Atlassian server, a Model Context Protocol (MCP) implementation for Atlassian products including Confluence and Jira. In versions prior to 0.17.0, the `confluence_download_attachment` MCP tool accepts a `download_path` parameter without directory boundary enforcement, allowing arbitrary file writes to paths accessible by the server process. This flaw enables attackers to overwrite files with content sourced from a Confluence attachment, potentially leading to arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

An attacker with low privileges (PR:L) and adjacent network access (AV:A) can exploit this by calling the vulnerable MCP tool and providing a malicious `download_path` along with a Confluence attachment containing attacker-controlled content. Successful exploitation allows writing arbitrary data to any server-writable location, such as creating a cron job in `/etc/cron.d/` to achieve remote code execution within one scheduler cycle without requiring a server restart. No user interaction is needed (UI:N), and the scoped impact (S:C) amplifies confidentiality, integrity, and availability effects.

The issue is fixed in MCP Atlassian version 0.17.0. Security practitioners should upgrade to this version immediately. Relevant advisories and patch details are available in the GitHub security advisory at https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-xjgw-4wvw-rgm4 and the fixing commit at https://github.com/sooperset/mcp-atlassian/commit/52b9b0997681e87244b20d58034deae89c91631e.

Details

CWE(s): CWE-22 CWE-73

Affected Products

mcp-atlassian

mcp atlassian

≤ 0.17.0

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: mcp, model context protocol, mcp, mcp

CVEs Like This One

CVE-2026-33989Shared CWE-22, CWE-73

CVE-2026-30282Shared CWE-22, CWE-73

CVE-2026-34783Shared CWE-22, CWE-73

CVE-2024-48885Shared CWE-22

CVE-2025-55282Shared CWE-22

CVE-2025-59291Shared CWE-73

CVE-2026-7400Shared CWE-22

CVE-2026-7810Shared CWE-22

CVE-2026-33329Shared CWE-22, CWE-73

CVE-2026-7811Shared CWE-22

References

https://github.com/sooperset/mcp-atlassian/commit/52b9b0997681e87244b20d58034deae89c91631e
Patch · security-advisories@github.com
https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-xjgw-4wvw-rgm4
Vendor Advisory · security-advisories@github.com