Overview
Malicious Jira tickets contain obfuscated prompt injection that tricks Cursor into leaking JWT tokens and credentials through the Jira MCP server. A zero-click attack where simply having the agent process a Jira ticket triggers credential exfiltration.
Who Is Affected
Discovered by Snyk Labs security researchers. Targets developers using Cursor IDE with a Jira MCP integration, a common setup for development teams using Atlassian project management.
Where It Exists
The attack payload is embedded in Jira ticket content (description, comments). The vulnerability chains the Jira MCP server's data retrieval with Cursor's agent execution environment where credentials are accessible.
When It Was Found
Published July 2025 by Snyk Labs. Demonstrates the 'toxic agent flow' pattern where trusted tools become attack vectors through untrusted data.
How It Works
An attacker creates or modifies a Jira ticket with an obfuscated prompt injection payload hidden in the description or comments. When a developer's Cursor agent fetches the ticket via the Jira MCP server, the injected instructions execute. The payload instructs the agent to extract JWT tokens, API keys, and environment variables, then exfiltrate them through Jira API calls back to the attacker.
Impact
Theft of JWT tokens, API keys, and environment variable credentials. With these tokens, attackers can access the victim's Jira workspace, connected services, CI/CD pipelines, and cloud infrastructure. The attack is difficult to detect because exfiltration uses legitimate Jira API calls.
Mitigation
Implement prompt injection detection on all Jira content before processing. Isolate credential storage from MCP agent context. Use short-lived, scoped tokens for Jira integrations. Monitor for unusual Jira API call patterns. Never expose environment variables to MCP tool contexts.