CVE-2026-27825 (CVSS 9.8) is an unauthenticated RCE in the mcp-atlassian Model Context Protocol connector that chains SSRF with an unrestricted file write primitive to achieve full host compromise with no credentials required, potentially pivoting into connected Jira and Confluence infrastructure. The attack chain, dubbed MCPwnfluence, is publicly documented; a maintainer patch was released 2026-02-24 and no CISA KEV listing exists yet, but the privileged position of this connector as a bridge to internal Atlassian infrastructure elevates practical risk beyond EPSS estimates. Apply the 2026-02-24 patch immediately, take the server offline or restrict to trusted hosts if patching is delayed, and review Atlassian access logs for anomalous unauthenticated requests or bulk data reads predating the patch.