MCP Atlassian SSRF fix bypassed via DNS rebinding on patched build
The published fix for CVE-2026-27826 in mcp-atlassian resolves the attacker-controlled X-Atlassian-{Jira,Confluence}-Url host once at middleware time, but the outbound request re-resolves DNS at connect time with no IP pinning. A rebinding host returns a public IP for validation and 169.254.169.254 or an internal address for the actual request — restoring unauthenticated SSRF to cloud metadata on the patched build.
If you self-host mcp-atlassian for internal agent tooling, don't rely on the vendor patch. Block egress to link-local metadata endpoints at the network layer and require the MCP process to run under an IMDSv2-enforced role.