MCP Servers

A collection of Model Context Protocol servers, templates, tools and more.

M
Mcpwnfluence
by @plutosecurity
GitHub Repo(2 stars)

Information about CVE-2026-27825 & CVE-2026-27826 discovered by Pluto Security and a bash script for identifying vulnerable mcp-atlassian instances allowing for automatic update to a fixed version.

Created 2/26/2026
Updated about 6 hours ago
README
View Source
Repository documentation and setup instructions

MCPwnfluence — CVE-2026-27825 & CVE-2026-27826

Two critical vulnerabilities in mcp-atlassian, one of the most popular MCP servers in the ecosystem (4.4K+ GitHub stars, 4M+ downloads).

Discovered by the team at Pluto Security.

The Vulnerabilities

| CVE | CVSS | Type | Description | |-----|------|------|-------------| | CVE-2026-27825 | 9.1 Critical | Arbitrary File Write / RCE | Path traversal in attachment download allows writing any file to the host filesystem | | CVE-2026-27826 | 8.2 High | SSRF via Header Injection | Unvalidated URL headers let attackers use the MCP server as a proxy into internal networks |

Affected versions: < 0.17.0 using HTTP transport (streamable-http or sse)

Fixed in: v0.17.0

Why This Matters

When mcp-atlassian runs with HTTP transport, it binds to 0.0.0.0 (all network interfaces) with no authentication. Any device on the same network — a shared office WiFi, a co-working space, a cloud VPC — can invoke any of its 40+ tools without credentials.

CVE-2026-27825 lets an attacker write arbitrary files to the host: drop a reverse shell into ~/.bashrc, add SSH keys to ~/.ssh/authorized_keys, or plant a cron job — achieving full remote code execution.

CVE-2026-27826 turns the MCP server into an SSRF proxy: the attacker can reach cloud metadata endpoints (169.254.169.254), scan internal services, and map the victim's network — all from the victim's own machine.

Am I Affected?

Use the update script to scan your system:

# Download the script or clone this repository

# Check if you're affected (read-only, makes no changes)
./update-mcp-atlassian.sh --check-only

# Also scan MCP client configs (Claude Desktop, Cursor, VS Code)
./update-mcp-atlassian.sh --check-only --scan

What the Script Detects

| Method | What it checks | |--------|---------------| | pip / pip3 | System or virtualenv installs via pip show | | uv tool | Tools installed via uv tool install | | Source checkouts | Searches ~ for pyproject.toml files referencing mcp-atlassian | | Virtualenvs | Searches ~ for site-packages/mcp_atlassian directories | | Docker images | Images matching mcp-atlassian | | MCP client configs | (with --scan) Claude Desktop, Cursor, VS Code, Claude Code settings |

Example Output

=== mcp-atlassian Security Update Check ===
CVE-2026-27825 (CVSS 9.1) + CVE-2026-27826 (CVSS 8.2)
Safe version: >= 0.17.0

--- Scanning for mcp-atlassian installations ---

  [!!] pip: 0.16.1 (VULNERABLE) -- /usr/local/lib/python3.12/site-packages
  [OK] uv-tool: 0.17.0 (safe) -- uv tool install

Found 2 installation(s): 1 vulnerable, 1 safe, 0 unknown

1 vulnerable installation(s) found.
Run without --check-only to upgrade.

Script Options

--check-only    Scan only, make no changes (recommended first run)
--scan          Also check MCP client configs for mcp-atlassian references
                and flag dangerous transport settings (0.0.0.0, HTTP transport)
-h, --help      Show help

How to Upgrade

Automatic (via the script)

# Scan and upgrade vulnerable installations
./update-mcp-atlassian.sh

The script upgrades pip, pip3, uv tool, and virtualenv installations automatically. For source checkouts and Docker images, it prints manual instructions.

Manual

| Method | Command | |--------|---------| | pip | pip install --upgrade "mcp-atlassian>=0.17.0" | | uv tool | uv tool upgrade mcp-atlassian | | Source | cd mcp-atlassian && git pull && uv sync | | Docker | docker pull ghcr.io/sooperset/mcp-atlassian:latest |

Technical Details

For a full technical writeup including vulnerable code paths, exploitation flows, real-world attack scenarios, and how the fixes work, see the blog post.

CVE-2026-27825 — Arbitrary File Write

The download_attachment() method in confluence/attachments.py accepts a user-supplied target_path and writes to it with no path validation:

# v0.16.1 — no path traversal check
os.makedirs(os.path.dirname(target_path), exist_ok=True)
with open(target_path, "wb") as f:   # writes to ANY path
    for chunk in response.iter_content(chunk_size=8192):
        f.write(chunk)

Fixed in PR #987 by adding validate_safe_path() — resolves symlinks, normalizes paths, enforces base directory containment.

CVE-2026-27826 — SSRF via Header Injection

The middleware in servers/main.py trusts X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers without validation, allowing an attacker to redirect the server's outbound requests to arbitrary URLs.

Fixed in PR #986 by adding validate_url_for_ssrf() — scheme allowlist, private IP blocking, DNS resolution checks, redirect validation.

Repository Contents

update-mcp-atlassian.sh     Scan & upgrade script (macOS / Linux)
README.md                   This file

Compatibility

  • macOS (bash 3.2+) — tested
  • Linux (bash 4+, Ubuntu, Debian, RHEL, Fedora) — supported
  • Gracefully handles missing tools (no Docker, no uv, no pip — no problem)
  • Uses -xdev to avoid traversing network mounts
  • --check-only is completely read-only

License

Apache 2.0

Quick Setup
Installation guide for this server

Installation Command (package not published)

git clone https://github.com/plutosecurity/MCPwnfluence
Manual Installation: Please check the README for detailed setup instructions and any additional dependencies required.

Cursor configuration (mcp.json)

{ "mcpServers": { "plutosecurity-mcpwnfluence": { "command": "git", "args": [ "clone", "https://github.com/plutosecurity/MCPwnfluence" ] } } }