CVE-2026-42864

CVE-2026-42864 is a critical-severity missing authentication for critical function vulnerability in firefighter-incident (pip), affecting versions < 0.0.54. It is fixed in 0.0.54.

Summary

FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft

Impact

The POST /api/v2/firefighter/raid/jira_bot endpoint (CreateJiraBotView) is
reachable without authentication (permission_classes = [permissions.AllowAny]).
Its attachments payload is fetched server-side via httpx.get() with no URL
validation, then uploaded as an attachment on the Jira ticket that gets created.

An unauthenticated caller able to reach the ingress can coerce the pod into
fetching arbitrary URLs, including the cloud metadata endpoint at
http://169.254.169.254/, and exfiltrate the response as a Jira attachment.

On EC2/EKS deployments that do not enforce IMDSv2, this allows theft of the
temporary AWS credentials attached to the pod's IAM role. The docstring on the
view claims a Bearer token is required, but the code does not enforce it.

Affected code paths:

  • src/firefighter/raid/views/__init__.py, CreateJiraBotView
  • src/firefighter/raid/serializers.py, LandbotIssueRequestSerializer.attachments
  • src/firefighter/raid/client.py, RaidJiraClient.add_attachments_to_issue

Patches

Fixed in firefighter-incident 0.0.54:

  • CreateJiraBotView now enforces BearerTokenAuthentication + IsAuthenticated.
  • attachments URLs are validated: http(s) scheme only, max 10 URLs, rejection
    of any host resolving to a private, loopback, link-local, reserved, multicast
    or unspecified IP (IPv4 and IPv6).
  • Fixes an unrelated KeyError('attachments') surfaced during regression testing.

Users should upgrade to 0.0.54 or later.

Workarounds

Until upgrade is possible, any one of the following blocks end-to-end exploitation:

  • Restrict ingress access to /api/v2/firefighter/raid/jira_bot to trusted
    networks only (VPN, internal load balancer).
  • Rotate or revoke the Jira API token configured as RAID_JIRA_API_PASSWORD;
    this breaks jira.create_issue() before the vulnerable attachment fetch is
    reached (legitimate traffic is also blocked, emergency mitigation only).
  • Enforce IMDSv2 with HttpPutResponseHopLimit=1 on EC2/EKS nodes. This does
    not fix the SSRF itself but neutralises the IAM-credential-theft path.

Resources

  • CWE-918: Server-Side Request Forgery
  • CWE-306: Missing Authentication for Critical Function

A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.

CVE-2026-42864 has a CVSS score of 9.9 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.0.54); upgrading removes the vulnerable code path.

Affected versions

firefighter-incident (< 0.0.54)

Security releases

firefighter-incident → 0.0.54 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade firefighter-incident to 0.0.54 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-42864? CVE-2026-42864 is a critical-severity missing authentication for critical function vulnerability in firefighter-incident (pip), affecting versions < 0.0.54. It is fixed in 0.0.54. A critical operation is accessible without requiring any authentication.
  2. How severe is CVE-2026-42864? CVE-2026-42864 has a CVSS score of 9.9 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of firefighter-incident are affected by CVE-2026-42864? firefighter-incident (pip) versions < 0.0.54 is affected.
  4. Is there a fix for CVE-2026-42864? Yes. CVE-2026-42864 is fixed in 0.0.54. Upgrade to this version or later.
  5. Is CVE-2026-42864 exploitable, and should I be worried? Whether CVE-2026-42864 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-42864 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-42864? Upgrade firefighter-incident to 0.0.54 or later.

Other vulnerabilities in firefighter-incident

Stop the waste.
Protect your environment with Kodem.