Skip to content

plutosecurity/MCPwnfluence

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
update-mcp-atlassian.sh
update-mcp-atlassian.sh
 
 

Repository files navigation

MCPwnfluence — CVE-2026-27825 & CVE-2026-27826

Two critical vulnerabilities in mcp-atlassian, one of the most popular MCP servers in the ecosystem (4.4K+ GitHub stars, 4M+ downloads).

Discovered by the team at Pluto Security.

The Vulnerabilities

CVE CVSS Type Description
CVE-2026-27825 9.1 Critical Arbitrary File Write / RCE Path traversal in attachment download allows writing any file to the host filesystem
CVE-2026-27826 8.2 High SSRF via Header Injection Unvalidated URL headers let attackers use the MCP server as a proxy into internal networks

Affected versions: < 0.17.0 using HTTP transport (streamable-http or sse)

Fixed in: v0.17.0

Why This Matters

When mcp-atlassian runs with HTTP transport, it binds to 0.0.0.0 (all network interfaces) with no authentication. Any device on the same network — a shared office WiFi, a co-working space, a cloud VPC — can invoke any of its 40+ tools without credentials.

CVE-2026-27825 lets an attacker write arbitrary files to the host: drop a reverse shell into ~/.bashrc, add SSH keys to ~/.ssh/authorized_keys, or plant a cron job — achieving full remote code execution.

CVE-2026-27826 turns the MCP server into an SSRF proxy: the attacker can reach cloud metadata endpoints (169.254.169.254), scan internal services, and map the victim's network — all from the victim's own machine.

Am I Affected?

Use the update script to scan your system:

# Download the script or clone this repository

# Check if you're affected (read-only, makes no changes)
./update-mcp-atlassian.sh --check-only

# Also scan MCP client configs (Claude Desktop, Cursor, VS Code)
./update-mcp-atlassian.sh --check-only --scan

What the Script Detects

Method What it checks
pip / pip3 System or virtualenv installs via pip show
uv tool Tools installed via uv tool install
Source checkouts Searches ~ for pyproject.toml files referencing mcp-atlassian
Virtualenvs Searches ~ for site-packages/mcp_atlassian directories
Docker images Images matching mcp-atlassian
MCP client configs (with --scan) Claude Desktop, Cursor, VS Code, Claude Code settings

Example Output

=== mcp-atlassian Security Update Check ===
CVE-2026-27825 (CVSS 9.1) + CVE-2026-27826 (CVSS 8.2)
Safe version: >= 0.17.0

--- Scanning for mcp-atlassian installations ---

  [!!] pip: 0.16.1 (VULNERABLE) -- /usr/local/lib/python3.12/site-packages
  [OK] uv-tool: 0.17.0 (safe) -- uv tool install

Found 2 installation(s): 1 vulnerable, 1 safe, 0 unknown

1 vulnerable installation(s) found.
Run without --check-only to upgrade.

Script Options

--check-only    Scan only, make no changes (recommended first run)
--scan          Also check MCP client configs for mcp-atlassian references
                and flag dangerous transport settings (0.0.0.0, HTTP transport)
-h, --help      Show help

How to Upgrade

Automatic (via the script)

# Scan and upgrade vulnerable installations
./update-mcp-atlassian.sh

The script upgrades pip, pip3, uv tool, and virtualenv installations automatically. For source checkouts and Docker images, it prints manual instructions.

Manual

Method Command
pip pip install --upgrade "mcp-atlassian>=0.17.0"
uv tool uv tool upgrade mcp-atlassian
Source cd mcp-atlassian && git pull && uv sync
Docker docker pull ghcr.io/sooperset/mcp-atlassian:latest

Technical Details

For a full technical writeup including vulnerable code paths, exploitation flows, real-world attack scenarios, and how the fixes work, see the blog post.

CVE-2026-27825 — Arbitrary File Write

The download_attachment() method in confluence/attachments.py accepts a user-supplied target_path and writes to it with no path validation:

# v0.16.1 — no path traversal check
os.makedirs(os.path.dirname(target_path), exist_ok=True)
with open(target_path, "wb") as f:   # writes to ANY path
    for chunk in response.iter_content(chunk_size=8192):
        f.write(chunk)

Fixed in PR #987 by adding validate_safe_path() — resolves symlinks, normalizes paths, enforces base directory containment.

CVE-2026-27826 — SSRF via Header Injection

The middleware in servers/main.py trusts X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers without validation, allowing an attacker to redirect the server's outbound requests to arbitrary URLs.

Fixed in PR #986 by adding validate_url_for_ssrf() — scheme allowlist, private IP blocking, DNS resolution checks, redirect validation.

Repository Contents

update-mcp-atlassian.sh     Scan & upgrade script (macOS / Linux)
README.md                   This file

Compatibility

  • macOS (bash 3.2+) — tested
  • Linux (bash 4+, Ubuntu, Debian, RHEL, Fedora) — supported
  • Gracefully handles missing tools (no Docker, no uv, no pip — no problem)
  • Uses -xdev to avoid traversing network mounts
  • --check-only is completely read-only

License

Apache 2.0

About

Information about CVE-2026-27825 & CVE-2026-27826 discovered by Pluto Security and a bash script for identifying vulnerable mcp-atlassian instances allowing for automatic update to a fixed version.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

7 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 1

Languages