CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-489G-7RXV-6C8Q

CVE-2026-27826: DNS Rebinding TOCTOU Bypass in mcp-atlassian Server

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 10, 2026·5 min read·3 visits

Executive Summary (TL;DR)

Unauthenticated users can bypass SSRF protections via DNS rebinding (TOCTOU) in mcp-atlassian, gaining access to internal endpoints and cloud provider metadata.

A DNS-rebinding Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mcp-atlassian server before version 0.17.0. The server processes unauthenticated client-supplied URLs via custom headers, validating the destination IP but failing to pin the resolved address before connecting. This allows remote adjacent-network attackers to achieve Server-Side Request Forgery (SSRF) and access restricted resources or cloud metadata services.

Vulnerability Overview

The mcp-atlassian server is a Model Context Protocol (MCP) server used to interface with Atlassian applications, including Jira and Confluence. In versions prior to 0.17.0, the application exposes an HTTP/SSE interface that processes unauthenticated incoming requests. When managing connections, the server allows clients to dynamically specify target Atlassian instances via custom HTTP headers, creating an expansive attack surface.\n\nSpecifically, the server reads the target hostnames from the X-Atlassian-Jira-Url and X-Atlassian-Confluence-Url headers. Because these requests can be initiated by unauthenticated users, the design introduces risks of arbitrary outbound network requests. This vulnerability class falls under CWE-918 (Server-Side Request Forgery) combined with a CWE-367 (Time-of-Check to Time-of-Use) race condition, allowing adjacent network actors to target internal nodes.

Root Cause Analysis

The vulnerability arises from a flawed validation routine designed to block private IP addresses. In an attempt to secure custom URLs, the developers implemented validate_url_for_ssrf in src/mcp_atlassian/utils/urls.py. This utility resolves the client-supplied hostname and checks if any resolved IP address belongs to non-global ranges (e.g., private subnets, loopback, or link-local addresses).\n\nHowever, the code suffers from a classic Time-of-Check to Time-of-Use (TOCTOU) vulnerability. The validation step performs DNS resolution and, if successful, allows execution to proceed. Crucially, the validated IP address is discarded, and the application subsequently passes the original hostname string to the Python requests library. If an attacker controls the authoritative DNS server for the target domain, they can configure it to return a public IP during the validation phase, and then immediately return a private IP (such as 169.254.169.254 or 127.0.0.1) during the connection phase.\n\nAdditionally, the redirect protection implemented as a response hook is defective. The hook intercepts responses and checks response.is_redirect. However, in the standard requests library, redirects are followed internally by default, meaning that the response hook is only executed on the final resolved object. If an intermediate redirect leads to a non-redirect (e.g., a 200 OK on a private resource), the hook fails to trigger, leaving the system fully vulnerable to redirect-based bypasses.

Code Analysis

Let us analyze the vulnerable validation logic from src/mcp_atlassian/utils/urls.py in detail. The original DNS resolution check loops through the resolved sockets, but never pins the resulting address:\n\npython\n# Vulnerable DNS validation routine\ndef _check_dns_resolution(hostname: str) -> str | None:\n try:\n results = socket.getaddrinfo(hostname, None)\n except socket.gaierror:\n return f\"DNS resolution failed for {hostname}\"\n\n for _family, _type, _proto, _canonname, sockaddr in results:\n ip_str = sockaddr[0]\n addr = ipaddress.ip_address(ip_str)\n if not addr.is_global:\n return f\"DNS for {hostname} resolves to non-global IP: {ip_str}\"\n return None\n\n\nEven if _check_dns_resolution returns None (indicating a safe IP), the application goes on to make an independent request using the unpinned URL. The diagram below illustrates this TOCTOU flow:\n\nmermaid\ngraph LR\n Client[Client Request] --> Validation[validate_url_for_ssrf]\n Validation -->|DNS Query 1: Public IP| Safe[Validation Passes]\n Safe --> Outbound[requests.get]\n Outbound -->|DNS Query 2: Private IP| Target[Private Resource / IMDS]\n\n\nFurthermore, the redirect validation mechanism utilizes a post-response hook that is fundamentally bypassed because intermediate redirects are processed natively inside requests prior to the hook's invocation.

Exploitation Methodology

An attacker can achieve full Server-Side Request Forgery (SSRF) bypass using standard DNS rebinding techniques. The attack requires deploying a custom DNS server that answers requests dynamically with a very low Time-to-Live (TTL) of 0 seconds. On the first query, the DNS server returns a benign global IP address (e.g., 104.192.141.1). On the second query, the DNS server returns a local or loopback address (e.g., 169.254.169.254).\n\nThe exploitation sequence is as follows:\n\n1. The attacker establishes an unauthenticated session with the MCP server by sending an initial handshake to /mcp.\n\n2. The attacker triggers a tool execution such as jira_get_issue while providing custom headers: X-Atlassian-Jira-Url: http://rebind.attacker.com and X-Atlassian-Jira-Personal-Token: testing.\n\n3. During the validation phase, the host machine queries rebind.attacker.com, receives 104.192.141.1, and validates the URL as safe.\n\n4. When mcp-atlassian initiates the outbound HTTP connection, it sends another DNS query due to the expired TTL, resolving rebind.attacker.com to 169.254.169.254.\n\n5. The server connects to the AWS Instance Metadata Service, retrieving sensitive credentials or IAM role policies.

Impact Assessment

The successful exploitation of CVE-2026-27826 allows unauthenticated, remote attackers to perform arbitrary HTTP requests from the context of the hosting server. Depending on where the mcp-atlassian server is deployed, this capability can lead to severe compromises.\n\nIn cloud environments (such as AWS, Google Cloud, or Azure), the attacker can access the cloud metadata service to retrieve temporary IAM role credentials, resulting in a full cloud account takeover. In local or enterprise networks, the vulnerability enables internal port scanning, discovery of microservices, and interactions with unauthenticated administrative endpoints (such as Redis, Consul, or local databases).\n\nThe CVSS v3.1 base score of 8.2 is classified as High severity. The score reflects a high confidentiality impact and low integrity impact, with the scope changed because the vulnerability in mcp-atlassian is leveraged to compromise adjacent systems on the internal network.

Remediation and Mitigation

The primary remediation for this vulnerability is to upgrade mcp-atlassian to version 0.17.0 or higher, which properly addresses the DNS rebinding flaw and enforces strict validation.\n\nIf upgrading immediately is not possible, the following mitigations must be implemented:\n\n1. Define Allowed Domains: Set the environment variable MCP_ALLOWED_URL_DOMAINS to restrict the target domains to trusted Atlassian instances (e.g., yourorg.atlassian.net).\n\n2. Network Filtering: Implement host-level firewall rules using iptables to block the server process from initiating outgoing connections to local IP addresses and the link-local metadata address (169.254.169.254).\n\n3. Isolate Deployment: Place the MCP server in a private security group with no outbound access to other internal network resources.

Technical Appendix

CVSS Score
8.2/ 10

Affected Systems

mcp-atlassian

Affected Versions Detail

Product
Affected Versions
Fixed Version
mcp-atlassian
sooperset
< 0.17.00.17.0
AttributeDetail
CWE IDCWE-918, CWE-367
Attack VectorAdjacent Network (AV:A)
CVSS Score8.2
EPSS Score14.96%
Exploit StatusProof of Concept / Active
CISA KEV StatusNot Listed

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1005Data from Local System
Collection

More Reports

•about 2 hours ago•CVE-2026-54070
7.1

CVE-2026-54070: Stored Cross-Site Scripting via Modern HTML5 Event Handler Bypass in SiYuan Bazaar

A high-severity Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan prior to version 3.7.0. The vulnerability is located within the server-side Markdown-to-HTML parsing component for the Bazaar marketplace packages. Due to an incomplete event-handler attribute blocklist in the lute parsing engine and a lack of client-side DOM sanitization, malicious package authors can bypass restrictions using modern HTML5 event handlers. When an authenticated administrator views a malicious package, the embedded JavaScript runs in the administrator origin, allowing unauthorized workspace access, local file reading, and remote API execution.

Alon Barad
Alon Barad
4 views•5 min read
•about 5 hours ago•CVE-2026-49866
7.5

CVE-2026-49866: CPU-Based Denial of Service in @libp2p/gossipsub Protobuf Parser

A high-severity denial-of-service vulnerability in @libp2p/gossipsub prior to version 16.0.0 allows unauthenticated remote attackers to trigger event loop starvation and complete node freeze by exploiting unbounded protobuf decoding limits and nested synchronous array iteration loops.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 6 hours ago•CVE-2026-49858
5.9

CVE-2026-49858: Cross-User Attribute and Relation Leak in API Platform Core Serializers

CVE-2026-49858 is a vulnerability in API Platform Core's JSON:API and HAL item normalizers where conditionally secured attributes are cached globally in memory. When deployed in long-running PHP execution environments such as FrankenPHP worker mode, Swoole, or RoadRunner, this persistent caching bypasses property-level security constraints, allowing unprivileged users to access sensitive, unauthorized fields cached during privileged requests.

Alon Barad
Alon Barad
5 views•7 min read
•about 7 hours ago•CVE-2026-5078
5.3

CVE-2026-5078: Log Forging and Injection via :remote-user Token in Morgan Logging Middleware

CVE-2026-5078 is a log injection vulnerability in Morgan, the widely deployed Node.js HTTP request logging middleware. The vulnerability arises because the ':remote-user' logging token decodes and outputs basic authentication usernames containing control characters, such as Carriage Return (CR) and Line Feed (LF), without sanitization. An unauthenticated attacker can bypass native HTTP header parsers by Base64-encoding CRLF sequences in the Authorization header. When Morgan logs the request, these control characters force newlines in the log stream, enabling log forging, SIEM evasion, and system activity spoofing.

Alon Barad
Alon Barad
6 views•7 min read
•about 18 hours ago•CVE-2026-48861
2.1

CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint

CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 18 hours ago•CVE-2026-49753
6.3

CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.

Amit Schendel
Amit Schendel
6 views•6 min read