CVE-2026-27826

HighPublic PoC

Published: 10 March 2026

Published

10 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

EPSS Score 0.0008 24.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27826 is a high-severity SSRF (CWE-918) vulnerability in Sooperset Mcp Atlassian. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Network Service Discovery (T1046) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of known flaws, such as upgrading to MCP Atlassian version 0.17.0 which fixes the SSRF vulnerability in the HTTP middleware.

SC-7 Boundary Protection good match

prevent

Enforces boundary protection to monitor and control outbound HTTP requests from the server, blocking access to arbitrary URLs including cloud metadata endpoints.

SI-10 Information Input Validation good match

prevent

Validates inputs like custom HTTP headers to prevent injection of arbitrary URLs that trigger SSRF outbound requests.

MITRE ATT&CK Enterprise TechniquesAI

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

T1552.005 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

Why these techniques?

SSRF enables internal network reconnaissance mapping to Network Service Discovery (T1046) and theft of IAM credentials via cloud instance metadata endpoint mapping to Cloud Instance Metadata API (T1552.005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to…

an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an `Authorization` header. No authentication is required. The vulnerability exists in the HTTP middleware and dependency injection layer — not in any MCP tool handler - making it invisible to tool-level code analysis. In cloud deployments, this could enable theft of IAM role credentials via the instance metadata endpoint (`169[.]254[.]169[.]254`). In any HTTP deployment it enables internal network reconnaissance and injection of attacker-controlled content into LLM tool results. Version 0.17.0 fixes the issue.

Deeper analysisAI

MCP Atlassian is a Model Context Protocol (MCP) server designed for integration with Atlassian products such as Confluence and Jira. Versions prior to 0.17.0 contain a vulnerability (CVE-2026-27826, CWE-918) that allows an unauthenticated attacker to force the server process to make outbound HTTP requests to arbitrary attacker-controlled URLs. This server-side request forgery (SSRF) issue arises in the HTTP middleware and dependency injection layer, rather than in MCP tool handlers, rendering it undetectable by tool-level code analysis. The vulnerability has a CVSS v3.1 score of 8.2 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).

An unauthenticated attacker with adjacent network access to the mcp-atlassian HTTP endpoint can exploit this by supplying two custom HTTP headers without an Authorization header. Successful exploitation enables the attacker to conduct internal network reconnaissance from the server's perspective. In cloud deployments, it facilitates theft of IAM role credentials by targeting the instance metadata endpoint at 169.254.169.254. Across any HTTP deployment, it allows injection of attacker-controlled content into LLM tool results.

The GitHub security advisory (GHSA-7r34-79r5-rcc9) and fixing commit (5cd697dfce9116ef330b8dc7a91291640e0528d9) confirm that upgrading to version 0.17.0 resolves the issue.

This vulnerability is particularly relevant to AI/ML deployments, as MCP servers bridge LLMs with enterprise tools, potentially exposing LLM integrations to SSRF-based content manipulation or credential theft. No real-world exploitation has been reported.

Details

CWE(s): CWE-918

Affected Products

sooperset

mcp atlassian

≤ 0.17.0

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: mcp, model context protocol, mcp, mcp, mcp, llm

CVEs Like This One

CVE-2026-28416Shared CWE-918

CVE-2026-34476Shared CWE-918

CVE-2026-39974Shared CWE-918

CVE-2026-5346Shared CWE-918

CVE-2026-39885Shared CWE-918

CVE-2025-22603Shared CWE-918

CVE-2026-32133Shared CWE-918

CVE-2026-0560Shared CWE-918

CVE-2026-22219Shared CWE-918

CVE-2026-30232Shared CWE-918

References

https://github.com/sooperset/mcp-atlassian/commit/5cd697dfce9116ef330b8dc7a91291640e0528d9
Patch · security-advisories@github.com
https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-7r34-79r5-rcc9
Vendor Advisory, Exploit · security-advisories@github.com