GHSA-7r34-79r5-rcc9: MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers
highvulnerability
security
Summary
MCP Atlassian has a server-side request forgery (SSRF, where a server is tricked into making requests to unintended URLs) vulnerability that allows an unauthenticated attacker to force the server to make outbound HTTP requests to any URL by supplying two custom headers without proper validation. This could enable credential theft in cloud environments or allow attackers to probe internal networks and inject malicious content into AI tool results.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
March 10, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
LangChain
Affected Packages
mcp-atlassian@< 0.17.0 (fixed: 0.17.0)
Related Issues
Original source: https://github.com/advisories/GHSA-7r34-79r5-rcc9
First tracked: March 10, 2026 at 04:00 PM
Classified by LLM (prompt v3) · confidence: 92%