Threat Advisory

FireFighter Vulnerability Exposes IAM Credential Theft

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-42864 with a CVSS score of 9.9 is a critical Server-Side Request Forgery (SSRF) vulnerability in the FireFighter's Raid jira_bot endpoint that allows unauthenticated IAM credential theft. The affected software is the pip/firefighter-incident package with versions less than 0.0.54. The vulnerability occurs due to the lack of authentication and URL validation in the `POST /api/v2/firefighter/raid/jira_bot` endpoint, which can be coerced into fetching arbitrary URLs and exfiltrating responses as Jira attachments. An unauthenticated caller can exploit this vulnerability by reaching the ingress and uploading malicious attachments, potentially leading to the theft of temporary AWS credentials attached to the pod's IAM role on EC2/EKS deployments that do not enforce IMDSv2. This allows attackers to gain elevated privileges and access sensitive information, resulting in significant business impact and consequences if exploited. Prerequisites for exploitation include access to the ingress and the ability to reach the vulnerable endpoint.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-42864 with a CVSS score of 9.9 is a critical Server-Side Request Forgery (SSRF) vulnerability in the FireFighter's Raid jira_bot endpoint that allows unauthenticated IAM credential theft. The affected software is the pip/firefighter-incident package with versions less than 0.0.54. The vulnerability occurs due to the lack of authentication and URL validation in the `POST /api/v2/firefighter/raid/jira_bot` endpoint, which can be coerced into fetching arbitrary URLs and exfiltrating responses as Jira attachments. An unauthenticated caller can exploit this vulnerability by reaching the ingress and uploading malicious attachments, potentially leading to the theft of temporary AWS credentials attached to the pod's IAM role on EC2/EKS deployments that do not enforce IMDSv2. This allows attackers to gain elevated privileges and access sensitive information, resulting in significant business impact and consequences if exploited. Prerequisites for exploitation include access to the ingress and the ability to reach the vulnerable endpoint.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update pip/firefighter-incident to version 0.0.54.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-fqvv-jvhr-g5jc

[/emaillocker]
crossmenu