Arctic Wolf — mcp-atlassian unauth RCE/SSRF (CVE-2026-27825/27826)

AI relevance: mcp-atlassian is a common MCP tool for agents; unauth file-write and SSRF bugs let prompt-driven tool calls pivot into host compromise or internal network reach.

• CVE-2026-27825 affects mcp-atlassian < 0.17.0 and allows unauthenticated arbitrary file writes via attachment download tools.
• Missing path confinement enables traversal/symlink writes to targets like ~/.ssh/authorized_keys, enabling persistence or RCE.
• CVE-2026-27826 is a related SSRF flaw: middleware trusts X-Atlassian-* URL headers without validation.
• Exposed MCP HTTP transports are often bound to 0.0.0.0 with no auth, amplifying Internet-facing risk.
• Patch 0.17.0 adds validate_safe_path() and SSRF URL validation/allowlists.
• No active exploitation reported by Arctic Wolf as of Feb 27, but public PoC details are available.

Security impact

On AI stacks, the real risk isn’t just the CVE — it’s the path from prompt to tool to host. mcp-atlassian is a common MCP bridge for agents. When an attacker can hit it unauthenticated, a single crafted request can write files to the host, and that becomes a durable compromise (keys, cron, shell profiles). Once the host is compromised, any agent running there becomes a data-exfiltration surface — model logs, tool credentials, and internal API tokens can be harvested silently. In practice, this turns “LLM tool access” into a remote RCE pathway, even if your agent never exposes a shell tool.

The SSRF bug compounds this: attackers can pivot from the MCP server to cloud metadata endpoints, internal admin panels, or other microservices that were never meant to be reachable. In AI deployments, where the agent often has broad network reach to retrieve context, SSRF becomes a powerful lateral movement primitive. Combined with prompt injection, an attacker can trick a public-facing agent into initiating requests that reach internal systems, turning a single malicious prompt into a cross-network breach chain.

Mitigation strategy

Upgrade immediately and treat MCP servers like production control planes, not dev utilities. Bind to localhost or private networks only, require auth, and add allowlists for file paths and outbound hosts. If you must expose MCP to the network, put it behind a gateway with strict auth and rate limits, and log all tool invocations with request IDs so incident response can reconstruct the chain.

Why it matters

• Unauthenticated file writes turn a tool endpoint into a direct host takeover path for AI tool stacks.
• SSRF in agent tooling can expose internal services, metadata endpoints, and secrets to remote attackers.
• These issues compound with prompt injection: a malicious prompt can steer vulnerable tools into dangerous actions.

What to do

• Upgrade: move to mcp-atlassian 0.17.0+ immediately.
• Require auth: do not expose MCP HTTP transports unauthenticated or publicly accessible.
• Constrain tools: enforce strict path allowlists and block outbound requests to private ranges.

Sources

• Arctic Wolf — CVE-2026-27825/27826 write-up
• GitHub Security Advisory — CVE-2026-27825
• GitHub Security Advisory — CVE-2026-27826
• Pluto Security — technical details