MCP Atlassian Unauthenticated SSRF Vulnerability via Custom Headers
Vulnerability
A server-side request forgery (SSRF) vulnerability has been identified in MCP Atlassian, a Model Context Protocol server for Atlassian products like Confluence and Jira, prior to version 0.17.0. The vulnerability allows an unauthenticated attacker to manipulate the server into making outbound HTTP requests to an arbitrary URL controlled by the attacker. This is achieved by sending two custom HTTP headers, 'X-Atlassian-Jira-Url' or 'X-Atlassian-Confluence-Url', without an 'Authorization' header. The issue arises in the HTTP middleware and dependency injection layer, rather than in any specific MCP tool handler, which makes it undetectable through tool-level code analysis. In cloud deployments, this vulnerability could be exploited to steal IAM role credentials via the instance metadata endpoint (169.254.169.254). In any HTTP deployment, it facilitates internal network reconnaissance and the injection of attacker-controlled content into LLM tool results.
Impact
Exploitation of this vulnerability allows for unauthorized outbound HTTP requests from the server to internal or external URLs, depending on the deployment context. In cloud environments, this could result in the theft of IAM role credentials through the instance metadata service, while in other HTTP deployments, it could enable internal network reconnaissance and the injection of malicious content into LLM tool responses.
Reproduction
To reproduce this vulnerability, send a request to the MCP Atlassian server's HTTP endpoint with the 'X-Atlassian-Jira-Url' or 'X-Atlassian-Confluence-Url' header, and the 'X-Atlassian-Jira-Personal-Token' or 'X-Atlassian-Confluence-Personal-Token' header, without including an 'Authorization' header. Ensure that the server is running in a context that allows this exploitation, such as with the 'streamable-http' transport option. Once the request is received, the server will make an outbound request to the URL specified in the header, demonstrating the SSRF vulnerability.
Remediation
Users can update to MCP Atlassian version 0.17.0 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.