CVE-2026-27826: DNS Rebinding TOCTOU Bypass in mcp-atlassian Server
Vulnerability ID: GHSA-489G-7RXV-6C8Q
CVSS Score: 8.2
Published: 2026-07-10
A DNS-rebinding Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mcp-atlassian server before version 0.17.0. The server processes unauthenticated client-supplied URLs via custom headers, validating the destination IP but failing to pin the resolved address before connecting. This allows remote adjacent-network attackers to achieve Server-Side Request Forgery (SSRF) and access restricted resources or cloud metadata services.
TL;DR
Unauthenticated users can bypass SSRF protections via DNS rebinding (TOCTOU) in mcp-atlassian, gaining access to internal endpoints and cloud provider metadata.
Technical Details
- CWE ID: CWE-918, CWE-367
- Attack Vector: Adjacent Network (AV:A)
- CVSS Score: 8.2
- EPSS Score: 14.96%
- Exploit Status: Proof of Concept / Active
- CISA KEV Status: Not Listed
Affected Systems
- mcp-atlassian
-
mcp-atlassian: < 0.17.0 (Fixed in:
0.17.0)
Mitigation Strategies
- Upgrade mcp-atlassian to version 0.17.0 or higher
- Configure the MCP_ALLOWED_URL_DOMAINS environment variable
- Apply network-level firewall blocks (iptables) to restrict egress to internal ranges
Remediation Steps:
- Verify current version of mcp-atlassian using pip show mcp-atlassian
- Update the package to version 0.17.0 or above: pip install --upgrade mcp-atlassian
- Restart the server process to apply the changes
Read the full report for GHSA-489G-7RXV-6C8Q on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)