DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-489G-7RXV-6C8Q: CVE-2026-27826: DNS Rebinding TOCTOU Bypass in mcp-atlassian Server

CVE-2026-27826: DNS Rebinding TOCTOU Bypass in mcp-atlassian Server

Vulnerability ID: GHSA-489G-7RXV-6C8Q
CVSS Score: 8.2
Published: 2026-07-10

A DNS-rebinding Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mcp-atlassian server before version 0.17.0. The server processes unauthenticated client-supplied URLs via custom headers, validating the destination IP but failing to pin the resolved address before connecting. This allows remote adjacent-network attackers to achieve Server-Side Request Forgery (SSRF) and access restricted resources or cloud metadata services.

TL;DR

Unauthenticated users can bypass SSRF protections via DNS rebinding (TOCTOU) in mcp-atlassian, gaining access to internal endpoints and cloud provider metadata.


Technical Details

  • CWE ID: CWE-918, CWE-367
  • Attack Vector: Adjacent Network (AV:A)
  • CVSS Score: 8.2
  • EPSS Score: 14.96%
  • Exploit Status: Proof of Concept / Active
  • CISA KEV Status: Not Listed

Affected Systems

  • mcp-atlassian
  • mcp-atlassian: < 0.17.0 (Fixed in: 0.17.0)

Mitigation Strategies

  • Upgrade mcp-atlassian to version 0.17.0 or higher
  • Configure the MCP_ALLOWED_URL_DOMAINS environment variable
  • Apply network-level firewall blocks (iptables) to restrict egress to internal ranges

Remediation Steps:

  1. Verify current version of mcp-atlassian using pip show mcp-atlassian
  2. Update the package to version 0.17.0 or above: pip install --upgrade mcp-atlassian
  3. Restart the server process to apply the changes

Read the full report for GHSA-489G-7RXV-6C8Q on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)