Description
MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an `Authorization` header. No authentication is required. The vulnerability exists in the HTTP middleware and dependency injection layer — not in any MCP tool handler - making it invisible to tool-level code analysis. In cloud deployments, this could enable theft of IAM role credentials via the instance metadata endpoint (`169[.]254[.]169[.]254`). In any HTTP deployment it enables internal network reconnaissance and injection of attacker-controlled content into LLM tool results. Version 0.17.0 fixes the issue.
Published: 2026-03-10
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the MCP Atlassian server allows an unauthenticated attacker to trigger outbound HTTP requests to any URL by supplying unvalidated X-Atlassian-Jira-Url or X-Atlassian-Confluence-Url headers. Because no Authorization header is required, the flaw permits remote control of outgoing traffic from the host. The flaw can be used for internal network reconnaissance, to exfiltrate data via the instance metadata service, or to inject attacker‑controlled content into LLM tool results. The flaw resides in the HTTP middleware and dependency injection layer, making it invisible to typical tool‐level code analysis.

Affected Systems

The affected product is the MCP Atlassian server, part of the sooperset project. Any version prior to 0.17.0 that exposes the mcp-atlassian HTTP endpoint is vulnerable. The server acts as a Model Context Protocol (MCP) endpoint for Atlassian Confluence and Jira services.

Risk and Exploitability

According to the CVSS score of 8.2, this is a high‑severity vulnerability. The EPSS score of less than 1% indicates that exploitation is currently rare, and the flaw is not listed in the CISA KEV catalogue. Nonetheless, because the flaw is unauthenticated, an attacker with network access to the server can exploit it immediately. The potential impact includes internal network discovery, credential theft via the instance metadata endpoint, and malicious injection into LLM tool outputs. The risk is elevated in cloud or complex network environments where the server can reach internal services that it should not access.

Generated by OpenCVE AI on April 16, 2026 at 03:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to MCP Atlassian version 0.17.0 or later to apply the fix.
  • Restrict inbound traffic to the mcp‑atlassian endpoint using network controls or firewall rules so that only trusted hosts can connect.
  • At the network or proxy layer, block or strip X-Atlassian-Jira-Url and X-Atlassian-Confluence-Url headers to prevent the server from making unintended outbound requests.

Generated by OpenCVE AI on April 16, 2026 at 03:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7r34-79r5-rcc9 MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers
History

Mon, 13 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Sooperset mcp Atlassian
CPEs cpe:2.3:a:sooperset:mcp_atlassian:*:*:*:*:*:*:*:*
Vendors & Products Sooperset mcp Atlassian

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sooperset
Sooperset mcp-atlassian
Vendors & Products Sooperset
Sooperset mcp-atlassian

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an `Authorization` header. No authentication is required. The vulnerability exists in the HTTP middleware and dependency injection layer — not in any MCP tool handler - making it invisible to tool-level code analysis. In cloud deployments, this could enable theft of IAM role credentials via the instance metadata endpoint (`169[.]254[.]169[.]254`). In any HTTP deployment it enables internal network reconnaissance and injection of attacker-controlled content into LLM tool results. Version 0.17.0 fixes the issue.
Title MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Sooperset Mcp-atlassian Mcp Atlassian
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:15:10.505Z

Reserved: 2026-02-24T02:32:39.799Z

Link: CVE-2026-27826

cve-icon Vulnrichment

Updated: 2026-03-10T19:15:08.025Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T19:17:20.670

Modified: 2026-04-13T15:01:48.520

Link: CVE-2026-27826

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses