Unauthenticated Endpoint Vulnerability in FireFighter Incident Management Application
CVE-2026-42864

9.9CRITICAL

Key Information:

Vendor: Manomanotech
Status: Firefighter-incident
Vendor: CVE Published:; 11 May 2026

🔔 Create Manomanotech Vulnerability Alert

What is CVE-2026-42864?

The FireFighter incident management application prior to version 0.0.54 contains a serious vulnerability within the POST /api/v2/firefighter/raid/jira_bot endpoint, which is accessible without any authentication checks. This flaw allows an unauthenticated attacker to manipulate the application into making unauthorized HTTP requests to external URLs. Consequently, sensitive data, such as temporary AWS credentials from the pod's IAM role, can be exfiltrated as attachments on created Jira tickets. Although the documentation suggests that a Bearer token is needed for access, the implementation fails to enforce this requirement, heightening the risk of unauthorized data breaches. This issue has been resolved in version 0.0.54.

Affected Version(s)

firefighter-incident < 0.0.54

References

https://github.com/ManoManoTech/firefighter-incident/secu...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42864 Data

JSON