Two Lines of Code, Four Million Downloads, Zero Authentication

Pluto Security disclosed two critical vulnerabilities in mcp-atlassian—CVE-2026-27825 (unauthenticated arbitrary file write) and CVE-2026-27826 (SSRF)—which together permit unauthenticated RCE from anyone on the same network by sending two HTTP requests. The flaws affected widely deployed versions (pre-0.17.0) with default network exposure, were patched in v0.17.0, and require immediate patching plus defensive controls (least privilege, bind-to-localhost, enable IMDSv2) and broader MCP ecosystem changes.