DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27825: CVE-2026-27825: Arbitrary File Write in mcp-atlassian Confluence Attachment Downloader

#security #cve #cybersecurity

CVE-2026-27825: Arbitrary File Write in mcp-atlassian Confluence Attachment Downloader

Vulnerability ID: CVE-2026-27825
CVSS Score: 9.1
Published: 2026-03-10

CVE-2026-27825 is a critical arbitrary file write vulnerability in the mcp-atlassian Model Context Protocol (MCP) server. The vulnerability allows local network attackers to write arbitrary content to any path accessible by the server process due to a lack of directory boundary enforcement in the confluence_download_attachment tool.

TL;DR

mcp-atlassian versions before 0.17.0 contain an arbitrary file write vulnerability in the confluence_download_attachment tool. Attackers can bypass directory restrictions to write malicious files, leading to remote code execution when chained with CVE-2026-27826.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22, CWE-73
  • Attack Vector: Adjacent Network
  • CVSS v3.1 Score: 9.1 (Critical)
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Proof of Concept (PoC) Available
  • CISA KEV: Not Listed

Affected Systems

  • mcp-atlassian MCP Server
  • Cursor IDE Integrations
  • Claude Desktop Integrations
  • Copilot Integrations
  • mcp-atlassian: < 0.17.0 (Fixed in: 0.17.0)

Code Analysis

Commit: 52b9b09

Implemented validate_safe_path utility to enforce directory boundaries during file operations.

Exploit Details

  • GitHub: Detection and proof-of-concept scripts demonstrating the MCPwnfluence attack chain.

Mitigation Strategies

  • Upgrade mcp-atlassian to version 0.17.0 or later.
  • Bind MCP servers exclusively to the localhost interface (127.0.0.1) instead of 0.0.0.0.
  • Run the MCP server process as a restricted, non-root user.
  • Deploy the application within a container utilizing a read-only root filesystem.

Remediation Steps:

  1. Identify all running instances of the mcp-atlassian service in development and production environments.
  2. Update the package using uvx upgrade mcp-atlassian or pull the updated Docker image docker pull ghcr.io/sooperset/mcp-atlassian:latest.
  3. Review startup scripts to ensure the --transport streamable-http or sse flags do not bind to 0.0.0.0 unless explicitly required and authenticated.
  4. Audit system directories (e.g., /etc/cron.d/, ~/.ssh/) on previously exposed hosts for unauthorized modifications.

References

Read the full report for CVE-2026-27825 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)