GHSA-WM45-QH3G-V83F: Arbitrary Server-Side File Read and Exfiltration via Attachment Upload in mcp-atlassian
Vulnerability ID: GHSA-WM45-QH3G-V83F
CVSS Score: 7.7
Published: 2026-07-10
An arbitrary server-side file read vulnerability exists in the mcp-atlassian integration server. Remote clients utilizing SSE or HTTP transports can exploit the lack of directory containment on attachment-upload tools to resolve and read arbitrary host files, exfiltrating them directly to Atlassian Jira or Confluence.
TL;DR
Remote clients can read and exfiltrate arbitrary files from the host server (such as system configurations and API keys) by exploiting a directory traversal vulnerability in mcp-atlassian before 0.22.0.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22
- Attack Vector: Network
- CVSS v3.1: 7.7 (High)
- Impact: Arbitrary File Read / Data Exfiltration
- Exploit Status: PoC Available
- CISA KEV Status: Not Listed
Affected Systems
- mcp-atlassian PyPI package deployed over remote network transports (HTTP/SSE)
-
mcp-atlassian: < 0.22.0 (Fixed in:
0.22.0)
Mitigation Strategies
- Upgrade to mcp-atlassian version 0.22.0 or later
- Restrict the MCP server's network bindings to 127.0.0.1
- Run the MCP server in a containerized environment with a non-root user and minimal read privileges
Remediation Steps:
- Identify deployments running mcp-atlassian versions prior to 0.22.0
- Update the PyPI dependency to mcp-atlassian>=0.22.0 in requirements.txt or pyproject.toml
- Rebuild and redeploy the MCP server container or service
- Audit Atlassian Confluence page attachments and Jira ticket attachments for unauthorized files (e.g., passwd, hosts, environ)
Read the full report for GHSA-WM45-QH3G-V83F on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)