{"data":{"id":"2c144915-0fe1-495b-b92f-5dbe3cfe0f7a","title":"GHSA-7r34-79r5-rcc9: MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers","summary":"MCP Atlassian has a server-side request forgery (SSRF, where a server is tricked into making requests to unintended URLs) vulnerability that allows an unauthenticated attacker to force the server to make outbound HTTP requests to any URL by supplying two custom headers without proper validation. This could enable credential theft in cloud environments or allow attackers to probe internal networks and inject malicious content into AI tool results.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-7r34-79r5-rcc9","publishedAt":"2026-03-10T18:48:46.000Z","cveId":"CVE-2026-27826","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["mcp-atlassian@< 0.17.0 (fixed: 0.17.0)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["Anthropic MCP","mcp-atlassian","Jira","Confluence"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-03-10T18:48:46.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}