CVE-2026-42864

Daily digests

FireFighter's Jira bot endpoint is wide open: no authentication despite what the docstring claims. An unauthenticated attacker who can reach the ingress can make the pod fetch any URL they choose, then read the response back as a Jira attachment. On EC2/EKS clusters that haven't enforced IMDSv2, this is a straight path to stealing the pod's AWS IAM credentials.

• Daily Digest · May 12, 2026

  FireFighter Jira bot SSRF scores 9.9, patch now