CVE-2026-27826

Summary

MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers

Severity

high

EPSS

1.2% (p64)

Also known as

GHSA-7r34-79r5-rcc9

Published

2026-03-10

References

• https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-7r34-79r5-rcc9
• https://github.com/sooperset/mcp-atlassian/commit/5cd697dfce9116ef330b8dc7a91291640e0528d9
• https://github.com/sooperset/mcp-atlassian

Related advisories

• CVE-2026-27825 — critical · PyPI/mcp-atlassian

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity