CVE-2021-26084
CVE-2021-26084 is a critical-severity vulnerability in Atlassian Confluence Data Center with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-917.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-12905
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-917
- Affected product: Atlassian Confluence Data Center
- Published:
- Last modified:
Description
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
CVE-2021-26084: Atlassian Confluence Server/Data Center Unauthenticated OGNL Injection RCE
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2021-26084 |
| CWE | CWE-917 — Expression Injection (OGNL) |
| CVSSv3 | 9.8 (Critical) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSSv2 | 7.5 — AV:N/AC:L/Au:N/C:P/I:P/A:P |
| EPSS | 0.99999 (99.999th percentile) |
| KEV | Yes (added 2021-11-03) |
| EU Exploited | Yes (since 2021-11-03) |
| Affected Product | Atlassian Confluence Server, Atlassian Confluence Data Center |
| Source | NVD |
Summary
In affected versions of Confluence Server and Data Center, an unauthenticated attacker can inject and evaluate OGNL (Object-Graph Navigation Language) expressions through a vulnerable endpoint, leading to arbitrary code execution on the host instance. This vulnerability is rated Critical (CVSSv3 9.8), has been exploited in the wild since late 2021, and is tracked in the CISA KEV catalog.
Background
Confluence is a widely deployed enterprise wiki and collaboration platform. Prior to this disclosure, its server-side view-layer templates used OGNL for data binding and expression evaluation. When user input is passed directly into an OGNL evaluation context without proper sanitization, the expression engine can escape its intended scope and execute arbitrary Java code on the underlying server.
Root Cause — CWE-917: Expression Injection
The root cause is an OGNL injection flaw (CWE-917). A server-side code path accepted attacker-controlled input and passed it into an OGNL expression evaluation engine without adequate validation or sandboxing. Because OGNL is a full-featured expression language that can access the Java classloader, object instantiation, and method invocation, an attacker can craft expressions that:
- Load arbitrary classes via the classloader
- Instantiate objects and invoke methods
- Execute operating-system commands through the underlying Java runtime
The vulnerability is unauthenticated, meaning no prior account or session is required to reach the affected endpoint and trigger the injection.
Impact
| CVSSv3 Metric | Value | Implication |
|---|---|---|
| Attack Vector | Network | Exploitable over the internet |
| Attack Complexity | Low | No special conditions or race conditions |
| Privileges Required | None | No account needed |
| User Interaction | None | Fully automated exploitation possible |
| Scope | Unchanged | Impact stays within the vulnerable component |
| Confidentiality | High | Full read access to application data and host files |
| Integrity | High | Ability to modify data, install backdoors, or alter configuration |
| Availability | High | Host process can be crashed or resources exhausted |
Bottom line: An unauthenticated attacker can achieve complete host compromise on internet-facing Confluence instances, enabling data theft, lateral movement, ransomware deployment, and persistent backdoors.
Exploitation Walkthrough (Defensive Perspective)
Ethics caveat: The following is a high-level defensive description of how exploitation occurs. No weaponized exploit code is provided.
-
Reconnaissance — The attacker identifies an internet-facing Confluence instance by scanning for the
/rest/or/pages/URL patterns. -
Injection Point Discovery — The attacker sends a benign HTTP request containing an OGNL meta-character sequence (e.g.,
${...}or${@...}) to a known endpoint. If the application responds with unusual behavior (e.g., delayed response, Java stack-trace fragments, or unexpected data output), the endpoint is likely evaluating the input as OGNL. -
Expression Evaluation — The attacker submits an OGNL payload that leverages the static-method access feature (
@class@method(...)) to load a Java class capable of running operating-system commands. Because the expression engine runs with the privileges of the Confluence server process, the command executes in the host environment. -
Post-Exploitation — Once code execution is achieved, the attacker typically:
- Drops a webshell or remote-access payload for persistence
- Exfiltrates the Confluence database, which often contains credentials, API keys, and proprietary documents
- Uses the compromised host as a foothold for lateral movement within the internal network
Defensive takeaway: The low attack complexity and lack of authentication requirements make this vulnerability trivial to exploit with widely available public tools. Patching and network segmentation are therefore critical.
Affected and Patched Versions
| Product | Affected Versions | Patched Versions |
|---|---|---|
| Confluence Server | < 6.13.23 | 6.13.23+ |
| Confluence Server | 6.14.0 – 7.4.10 | 7.4.11+ |
| Confluence Server | 7.5.0 – 7.11.5 | 7.11.6+ |
| Confluence Server | 7.12.0 – 7.12.4 | 7.12.5+ |
| Confluence Data Center | Same version ranges as Server | Same version ranges as Server |
Versions not listed above (e.g., 7.13.x and later) are not affected by this specific CVE. Always verify the exact version via the Confluence About page or the /rest/api/serverInfo endpoint.
Remediation
- Upgrade immediately — Apply the patched version that matches your release track. Atlassian released urgent fixes for all supported LTS branches.
- Workaround (if patching is delayed) — Atlassian published a temporary mitigation script that blocks the known attack patterns at the web-server or application level. Use this only as a stop-gap measure; it is not a substitute for patching.
- Compensating controls — Until patched:
- Restrict Confluence ingress to VPN or corporate IP allow-lists
- Deploy a Web Application Firewall (WAF) rule set that blocks OGNL meta-characters and known exploit patterns (note: WAF rules can be bypassed)
- Disable the instance if it is non-critical and internet-facing
Detection
- Network signatures — Monitor HTTP POST/GET requests to Confluence endpoints containing OGNL-specific patterns (
${,@java.lang,Runtime, etc.). - Host indicators — Unexpected child processes spawned by the Confluence Java process (e.g.,
bash,cmd.exe,powershell,curl,wget). - File indicators — New webshells under
<confluence-home>/or the webapp directory, or unexpected JSP/Velocity template modifications. - Log review — Unusual HTTP 200 or 500 responses to
/rest/or/pages/endpoints from untrusted source IPs. - Threat-intelligence feeds — Queries to the CISA KEV catalog confirm active exploitation. Correlate Confluence server logs with known exploit-tool user-agent strings.
Assessment
EPSS context: With an EPSS of 0.99999 and a percentile of 0.99993, this vulnerability is statistically among the most likely to be exploited in the wild. The KEV entry and EU exploited status confirm that active exploitation has been observed for years.
Key lessons:
- Expression languages are dangerous inputs. OGNL, SpEL, and similar engines should never evaluate untrusted data without strict whitelisting or sandboxing. Treat them as potential RCE surfaces.
- Internet-facing collaboration tools are high-value targets. Confluence, Jira, and similar platforms hold sensitive intellectual property and often have broad network trust relationships. Patching windows for these systems should be measured in hours, not weeks.
References
Frequently asked questions
- What is CVE-2021-26084?
- In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
- How severe is CVE-2021-26084?
- CVE-2021-26084 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-26084 being actively exploited?
- Yes. CVE-2021-26084 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-26084?
- CVE-2021-26084 primarily affects Atlassian Confluence Data Center. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-26084?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-26084 have an EU (EUVD) identifier?
- Yes. CVE-2021-26084 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-12905. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-26084 published?
- CVE-2021-26084 was published on 2021-08-30 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html
- https://jira.atlassian.com/browse/CONFSERVER-67940
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26084
Affected products (2)
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
More vulnerabilities in Atlassian Confluence Data Center
- CVE-2023-22527 — Critical (CVSS 9.8): A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated…
- CVE-2023-22518 — Critical (CVSS 9.8): All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper…
- CVE-2023-22515 — Critical (CVSS 9.8): Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have…
- CVE-2022-26136 — Critical (CVSS 9.8): A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used…
- CVE-2022-26134 — Critical (CVSS 9.8): In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an…
- CVE-2024-21683 — High (CVSS 8.8): This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center…
All CVEs affecting Atlassian Confluence Data Center →
Other CWE-917 vulnerabilities
- CVE-2025-3322 — Critical (CVSS 10.0): An improper neutralization of inputs used in expression language allows remote code execution with the highest…
- CVE-2022-22947 — Critical (CVSS 10.0): In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack…
- CVE-2026-11561 — Critical (CVSS 9.8): Improper neutralization of special elements used in an expression language statement ('expression language injection')…
- CVE-2026-22738 — Critical (CVSS 9.8): In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a…
- CVE-2026-24713 — Critical (CVSS 9.8): Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7,…
- CVE-2023-51593 — Critical (CVSS 9.8): Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability. This vulnerability…