CVE-2026-42864

Source
https://cve.org/CVERecord?id=CVE-2026-42864
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42864.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42864
Aliases
Published
2026-05-11T18:19:13.416Z
Modified
2026-07-08T08:12:34.715342524Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L CVSS Calculator
Summary
FireFighter: Unauthenticated SSRF in Raid jira_bot endpoint allows IAM credential theft
Details

FireFighter is an incident management application. Prior to 0.0.54, the POST /api/v2/firefighter/raid/jirabot endpoint (CreateJiraBotView) is reachable without authentication (permissionclasses = [permissions.AllowAny]). Its attachments payload is fetched server-side via httpx.get() with no URL validation, then uploaded as an attachment on the Jira ticket that gets created. An unauthenticated caller able to reach the ingress can coerce the pod into fetching arbitrary URLs and exfiltrate the response as a Jira attachment. On EC2/EKS deployments that do not enforce IMDSv2, this allows theft of the temporary AWS credentials attached to the pod's IAM role. The docstring on the view claims a Bearer token is required, but the code does not enforce it. This vulnerability is fixed in 0.0.54.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42864.json",
    "cwe_ids": [
        "CWE-306",
        "CWE-918"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/manomanotech/firefighter-incident

Affected ranges

Type
GIT
Repo
https://github.com/manomanotech/firefighter-incident
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.0.54"
        }
    ]
}

Affected versions

0.*
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.20
0.0.21
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
v0.*
v0.0.1
v0.0.1rc1
v0.0.1rc2
v0.0.2
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.3
v0.0.31
v0.0.32
v0.0.33
v0.0.34
v0.0.35
v0.0.36
v0.0.37
v0.0.38
v0.0.39
v0.0.40
v0.0.41
v0.0.42
v0.0.43
v0.0.44
v0.0.45
v0.0.46
v0.0.47
v0.0.48
v0.0.49
v0.0.50
v0.0.51
v0.0.52
v0.0.53

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42864.json"