Description
FireFighter is an incident management application. Prior to 0.0.54, the POST /api/v2/firefighter/raid/jira_bot endpoint (CreateJiraBotView) is reachable without authentication (permission_classes = [permissions.AllowAny]). Its attachments payload is fetched server-side via httpx.get() with no URL validation, then uploaded as an attachment on the Jira ticket that gets created. An unauthenticated caller able to reach the ingress can coerce the pod into fetching arbitrary URLs and exfiltrate the response as a Jira attachment. On EC2/EKS deployments that do not enforce IMDSv2, this allows theft of the temporary AWS credentials attached to the pod's IAM role. The docstring on the view claims a Bearer token is required, but the code does not enforce it. This vulnerability is fixed in 0.0.54.
Published: 2026-05-11
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The FireFighter incident management application exposes the POST /api/v2/firefighter/raid/jira_bot endpoint to unauthenticated requests due to a permission_classes setting of AllowAny. An attacker can supply an arbitrary URL in the attachment payload; the server fetches that URL using httpx.get() without validation and then uploads the response as a Jira attachment. This Server Side Request Forgery flaw allows an attacker to coerce the pod into retrieving data from any reachable location, including AWS’s instance metadata service, thereby exfiltrating temporary IAM credentials if IMDSv2 is not enforced.

Affected Systems

The vulnerability affects ManoManoTech firefFighter-incident versions earlier than 0.0.54. It is relevant for deployments on EC2 or EKS where the pod is granted an IAM role and available to external traffic without authentication.

Risk and Exploitability

The CVSS score of 9.9 marks the flaw as critical. EPSS data is not provided, but the lack of authentication combined with SSRF makes exploitation straightforward for any actor who can reach the public ingress. The flaw could lead to the compromise of temporary AWS credentials, granting full access to the associated IAM role – a serious impact on confidentiality, integrity, and availability. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 11, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FireFighter to version 0.0.54 or later, which enforces authentication on the /api/v2/firefighter/raid/jira_bot endpoint.
  • Restrict inbound traffic to the Raid Jira Bot endpoint, for example by enabling authentication or by firewalling the endpoint to trusted IP ranges.
  • Configure EC2/EKS instances to enforce IMDSv2 or remove the IAM role permissions that allow access to the instance metadata service from the pod.

Generated by OpenCVE AI on May 11, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fqvv-jvhr-g5jc FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft
History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Manomanotech
Manomanotech firefighter-incident
Vendors & Products Manomanotech
Manomanotech firefighter-incident

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description FireFighter is an incident management application. Prior to 0.0.54, the POST /api/v2/firefighter/raid/jira_bot endpoint (CreateJiraBotView) is reachable without authentication (permission_classes = [permissions.AllowAny]). Its attachments payload is fetched server-side via httpx.get() with no URL validation, then uploaded as an attachment on the Jira ticket that gets created. An unauthenticated caller able to reach the ingress can coerce the pod into fetching arbitrary URLs and exfiltrate the response as a Jira attachment. On EC2/EKS deployments that do not enforce IMDSv2, this allows theft of the temporary AWS credentials attached to the pod's IAM role. The docstring on the view claims a Bearer token is required, but the code does not enforce it. This vulnerability is fixed in 0.0.54.
Title FireFighter: Unauthenticated SSRF in Raid jira_bot endpoint allows IAM credential theft
Weaknesses CWE-306
CWE-918
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Manomanotech Firefighter-incident
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T19:34:12.513Z

Reserved: 2026-04-30T16:44:48.380Z

Link: CVE-2026-42864

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T19:16:24.417

Modified: 2026-05-11T19:16:24.417

Link: CVE-2026-42864

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:33Z

Weaknesses