The Wire
Agents

CVE-2026-27825: Critical Unauthenticated RCE and SSRF in mcp-atlassian MCP Server

Arctic Wolfhigh signal

Arctic Wolf published a critical advisory for CVE-2026-27825, a CVSS 10.0 unauthenticated RCE and SSRF vulnerability in the mcp-atlassian MCP server — one of the most widely deployed MCP connectors linking AI agents to Jira, Confluence, and Bitbucket. The flaw allows a remote attacker with no credentials to execute arbitrary code on the server and pivot into internal network infrastructure via SSRF. Any enterprise agent workflow connecting to Atlassian tools via MCP is potentially exposed.

Follow the thread