CVE-2026-27826 is a Server-Side Request Forgery (SSRF) vulnerability affecting sooperset's mcp-atlassian server, a Model Context Protocol server used with Atlassian products such as Confluence and Jira. The vulnerability exists in versions prior to 0.17.0 and allows an unauthenticated attacker with network access to the mcp-atlassian HTTP endpoint to coerce the server into making arbitrary HTTP requests to attacker-controlled URLs. This is achieved by sending two specially crafted HTTP headers without an Authorization header. The flaw lies in the HTTP middleware and dependency injection layer rather than in the MCP tool handlers, making it invisible to typical tool-level code analysis. In cloud deployments, this SSRF can be leveraged to access the instance metadata endpoint (169.254.169.254), potentially leading to theft of IAM role credentials, which could allow privilege escalation and lateral movement within cloud environments. In any deployment, the vulnerability enables internal network reconnaissance by probing internal services and injecting malicious content into responses used by large language model (LLM) tools, potentially poisoning their outputs. The vulnerability does not require authentication or user interaction, increasing its risk. The issue was publicly disclosed on March 10, 2026, with a CVSS 3.1 score of 8.2, reflecting high impact on confidentiality and partial impact on integrity, with no impact on availability. The vulnerability is fixed in version 0.17.0 of mcp-atlassian.

The primary impact of CVE-2026-27826 is the unauthorized ability for attackers to make the vulnerable server perform arbitrary HTTP requests, which can lead to significant security breaches. In cloud environments, attackers can exploit this SSRF to access the instance metadata service, potentially stealing IAM credentials that grant elevated privileges, enabling further compromise of cloud infrastructure and data exfiltration. In on-premises or private network deployments, the vulnerability facilitates internal network reconnaissance, allowing attackers to map internal services and potentially identify further vulnerabilities. Additionally, attackers can inject malicious content into the responses processed by LLM tools, potentially poisoning outputs and misleading users or automated processes relying on these tools. The lack of authentication and user interaction requirements increases the likelihood of exploitation once network access is obtained. Organizations using Atlassian products integrated with mcp-atlassian servers prior to version 0.17.0 face risks of data confidentiality breaches, integrity violations, and potential lateral movement within their networks. The vulnerability could also undermine trust in LLM-based tools by corrupting their data inputs.

Organizations should immediately upgrade all instances of mcp-atlassian to version 0.17.0 or later, where this SSRF vulnerability is fixed. Until upgrades can be applied, network-level mitigations should be implemented: restrict access to the mcp-atlassian HTTP endpoint to trusted internal IP addresses only, using firewalls or network segmentation. Employ egress filtering to prevent unauthorized outbound HTTP requests from the server, especially blocking access to sensitive internal IP ranges such as the cloud instance metadata service (169.254.169.254). Monitor network traffic for unusual outbound requests originating from mcp-atlassian servers. Implement strict input validation and header inspection at the HTTP middleware layer if possible, to detect and block suspicious custom headers that could trigger SSRF. Conduct internal network scans to identify any exposed mcp-atlassian endpoints and remediate accordingly. Review and audit IAM role permissions to minimize the impact of potential credential theft. Finally, monitor logs and LLM tool outputs for signs of injection or poisoning attempts that may indicate exploitation.