CVE-2026-42864

Name of the Vulnerable Software and Affected Versions FireFighter versions prior to 0.0.54

Description The 'POST /api/v2/firefighter/raid/jira bot' endpoint (CreateJiraBotView) is accessible without authentication. The attachments payload is processed via httpx.get() without URL validation, allowing an unauthenticated caller to force the server to fetch arbitrary URLs and exfiltrate the response as a Jira attachment. This Server-Side Request Forgery (SSRF)—a flaw where a server is coerced into making unintended requests—can be used on EC2/EKS deployments not enforcing IMDSv2 to steal temporary AWS credentials attached to the pod's IAM role.

Recommendations Update to version 0.0.54. Restrict ingress access to the 'POST /api/v2/firefighter/raid/jira bot' endpoint to trusted networks only. Rotate or revoke the Jira API token configured as RAID JIRA API PASSWORD as an emergency measure. Enforce IMDSv2 with HttpPutResponseHopLimit=1 on EC2/EKS nodes to prevent IAM credential theft.