What is the main risk of CVE-2026-27825?

CVE-2026-27825 is an arbitrary file write vulnerability that allows attackers to overwrite system files like ~/.bashrc or cron jobs, leading to unauthenticated remote code execution (RCE).

How does the SSRF vulnerability (CVE-2026-27826) work?

The vulnerability exists because the server middleware accepts Atlassian service URL headers without validation, allowing attackers to force the server to make outbound requests to arbitrary destinations.

Which versions of mcp-atlassian are affected?

All versions of mcp-atlassian prior to 0.17.0 are affected by these vulnerabilities.

What is the recommended fix for these vulnerabilities?

Users should upgrade to mcp-atlassian version 0.17.0 or later, which includes new validation functions for safe paths and URLs.

Why is the default configuration of mcp-atlassian considered dangerous?

By default, the server binds to 0.0.0.0 with no authentication, making it reachable and exploitable by anyone on the same network.

Advisory

Critical RCE and SSRF Vulnerabilities Discovered in Popular mcp-atlassian Server

published: March 3, 2026

Take action: If you use mcp-atlassian, update to version 0.17.0 ASAP. Since these servers run with high privileges and no authentication by default, network isolation is your first defense against unauthorized access and lateral movement withing environments.

Learn More

The maintainer of the open-source mcp-atlassian project, released version 0.17.0 to patcch two security flaws that allow unauthenticated remote code execution (RCE) and server-side request forgery (SSRF).

The default configuration of mcp-atlassian binds to all network interfaces (0.0.0.0) without authentication, making exposed instances highly vulnerable to network-adjacent attackers.

Vulnerabilities summary:

CVE-2026-27825 (CVSS score 9.1) - An arbitrary file write vulnerability caused by missing directory confinement in the Confluence attachment download tools. Attackers can provide a malicious target path to the download_attachment function, which uses os.path.abspath() without verifying if the path stays within a safe directory. An attacker can overwrite critical system files such as ~/.bashrc, ~/.ssh/authorized_keys, or cron jobs in /etc/cron.d/ to run arbitrary commands with the privileges of the MCP server process.
CVE-2026-27826 (CVSS score 8.2) - A high-severity SSRF vulnerability in the server's middleware that accepts X-Atlassian-Jira-Url and X-Atlassian-Confluence-Url headers without validation. Attackers can inject these headers to force the server to send authenticated requests to an attacker-controlled destination. This allows the server to be used as a proxy to scan internal networks or exfiltrate sensitive data by redirecting legitimate Atlassian traffic to malicious endpoints.

These vulnerabilities allow attackers to exploit the MCP server's privileged access and elevated permissions to steal sensitive credentials and gain a direct foothold into both the host system or broader corporate network.

The flaws affect all versions of mcp-atlassian prior to 0.17.0. This includes deployments using uvx, Docker, or standard pip installations. Unvalidated URL headers that enable the SSRF attacks.

To remediate these issues, users are advised to update to mcp-atlassian version 0.17.0 or later. This update introduces validate_safe_path() to enforce directory boundaries and validate_url_for_ssrf() to block requests to local or private IP addresses.

Users should restrict network exposure by binding the service to 127.0.0.1 instead of 0.0.0.0 and implementing proper authentication.

Critical RCE and SSRF Vulnerabilities Discovered in Popular mcp-atlassian Server

Read More
Cisco warns of actively exploited vulnerabilities in ASA …
Critical vulnerability in OpenSSH could expose Remote Code …
Trend Micro Releases Patches for Critical Vulnerabilities in …
Fortinet warns users that FortiClientEMS flaw is actively …
Malicious code injection vulnerability reported in Apache Parquet …