Skills
Atlassian MCP Vulnerabilities: CVE-2026-27825 and CVE-2026-27826 in mcp-atlassian Chain SSRF + Path Traversal for Unauthenticated RCE from Local Network
Pluto Security disclosed two chained vulnerabilities in the mcp-atlassian package: CVE-2026-27825 (SSRF) and CVE-2026-27826 (path traversal) that together enable unauthenticated remote code execution from the local network. This is particularly dangerous because Atlassian MCP servers connect AI coding agents to Jira, Confluence, and Bitbucket — an attacker on the same network can compromise the agent's connection to your entire project management stack. Part of the broader MCP security crisis where 43% of public MCP servers are vulnerable to command execution.
Source
↳ Follow the thread