CVE-2026-27825: Arbitrary File Write in mcp-atlassian Confluence Attachment Downloader

The mcp-atlassian package provides a Model Context Protocol (MCP) server integration for Atlassian Confluence and Jira. This component facilitates agentic workflows within popular AI-assisted integrated development environments (IDEs) such as Cursor, Claude Desktop, and Copilot. The package exposes a tool named confluence_download_attachment which handles the retrieval of remote assets.

CVE-2026-27825 is an arbitrary file write vulnerability located within the attachment downloading mechanism. The implementation fails to enforce directory boundaries when processing the download_path parameter. This architectural flaw allows the application to write file streams to any absolute or relative path accessible by the executing process.

The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path). Exploitation requires the ability to invoke the MCP tool, which is exposed without authentication by default when using specific transport protocols.

The vulnerability originates in the download_attachment method within the src/mcp_atlassian/confluence/attachments.py module. The function accepts a target_path argument from the client and attempts to normalize it using the standard library os.path.abspath() function. Normalization resolves relative path segments such as directory traversals, but it does not constrain the resulting absolute path to a safe base directory.

Following normalization, the application invokes os.makedirs() to ensure the parent directory of the target path exists. The function passes exist_ok=True, which silently creates missing directories without evaluating the target location against a permitted directory allowlist. The application then opens the file handler in write-binary (wb) mode.

The application streams the HTTP response content from the provided URL directly into the file handler using an 8192-byte chunk size. Because the system processes these operations sequentially without validating the final file destination, an attacker controls both the file location and the file contents. The operation executes with the permissions of the underlying MCP server process.

The vulnerable implementation in version 0.16.1 performs path processing without boundary enforcement. The code standardizes the input path but immediately utilizes it in standard library file operations.

# confluence/attachments.py (v0.16.1)
def download_attachment(self, url: str, target_path: str) -> bool:
    try:
        if not os.path.isabs(target_path):
            target_path = os.path.abspath(target_path)
        os.makedirs(os.path.dirname(target_path), exist_ok=True)
        response = self.confluence._session.get(url, stream=True)
        response.raise_for_status()
        with open(target_path, "wb") as f:
            for chunk in response.iter_content(chunk_size=8192):
                f.write(chunk)

The maintainers addressed this vulnerability in version 0.17.0 via commit 52b9b0997681e87244b20d58034deae89c91631e. The patch introduces a dedicated validate_safe_path utility function that evaluates the target path against a defined base directory using the pathlib module.

# confluence/attachments.py (v0.17.0)
def validate_safe_path(path, base_dir=None):
    if base_dir is None:
        base_dir = os.getcwd()
    resolved_base = Path(base_dir).resolve(strict=False)
    p = Path(path)
    if not p.is_absolute():
        p = resolved_base / p
    resolved_path = p.resolve(strict=False)
    if not resolved_path.is_relative_to(resolved_base):
        raise ValueError(f"Path traversal detected: {path} resolves outside {resolved_base}")
    return resolved_path

This remediation ensures that p.resolve() computes the true absolute path, accounting for symbolic links and traversal characters. The is_relative_to() check explicitly verifies that the resolved path resides strictly within the hierarchical boundary of the base directory. This eliminates the arbitrary file write capability by isolating operations to the designated working context.

Exploitation relies on network access to the MCP server. By default, invoking the application with the --transport streamable-http or sse arguments binds the service to the 0.0.0.0 interface. This configuration exposes the unauthenticated endpoint to all adjacent network segments, allowing local network attackers to interact with the exposed tools.

Researchers at Pluto Security demonstrated an exploit chain dubbed "MCPwnfluence", which combines CVE-2026-27825 with an unauthenticated Server-Side Request Forgery (SSRF) vulnerability designated as CVE-2026-27826. The attacker sends a crafted request containing an altered X-Atlassian-Confluence-Url header. This header forces the MCP server to redirect outbound attachment requests to an attacker-controlled infrastructure.

The attacker then invokes the confluence_download_attachment tool. Due to the SSRF, the server fetches the attacker's payload rather than a legitimate Confluence asset. Simultaneously, the attacker specifies a critical system location in the download_path parameter. The application writes the malicious payload to the targeted system path, completing the attack sequence.

The primary security impact of this vulnerability is Remote Code Execution (RCE). An attacker successfully exploiting the arbitrary file write primitive can overwrite critical system files or deposit executable content into automated task directories. The impact severity directly correlates with the execution context of the MCP server.

On Linux environments, an attacker commonly targets the /etc/cron.d/ directory to schedule malicious commands. If the MCP server runs with standard user privileges, the attacker can write to ~/.bashrc to execute code upon the next terminal session, or append public keys to ~/.ssh/authorized_keys to establish persistent remote access. On macOS systems, attackers target ~/Library/LaunchAgents/ to achieve persistence and code execution.

The vulnerability also facilitates data exfiltration. The corresponding confluence_upload_attachment tool possesses the same path traversal characteristics. An attacker can supply a path referencing local sensitive files, such as ~/.aws/credentials or ~/.ssh/id_rsa, and upload them to an external location under the attacker's control.

The CVSS v3.1 base score is 9.1. The vector reflects a low-complexity, adjacent-network attack requiring no privileges or user interaction. The scope change represents the transition from the vulnerable application context to the underlying operating system environment.

Organizations must upgrade the mcp-atlassian package to version 0.17.0 or later. System administrators can apply the update via standard package managers or by pulling the latest container image from the official GitHub container registry.

If immediate patching is unfeasible, administrators must restrict network exposure. The application should only bind to the local loopback interface (127.0.0.1). Avoid using the --transport streamable-http or sse flags with binding addresses that expose the service to external or adjacent networks.

Deploying the MCP server with the principle of least privilege mitigates the impact of successful exploitation. Run the service as a dedicated non-root user account. When operating within containerized environments, utilize read-only root filesystems and restrict mount points to prevent arbitrary writes to critical operating system paths.