CVE-2021-26085
CVE-2021-26085 is a medium-severity vulnerability in Atlassian Confluence Data Center with a CVSS 3.x base score of 5.3. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-28). The underlying weakness is classified as CWE-425.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- CVSS v2: 5.0
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-28)
- EU (EUVD) id: EUVD-2021-12906
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-28)
- Weakness: CWE-425
- Affected product: Atlassian Confluence Data Center
- Published:
- Last modified:
Description
Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.
CVE-2021-26085: Atlassian Confluence Server Pre-Auth Arbitrary File Read via /s/ Endpoint
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2021-26085 |
| Published | 2021-08-03 |
| CVSS v3.1 | 5.3 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| CVSS v2 | 5.0 — AV:N/AC:L/Au:N/C:P/I:N/A:N |
| CWE | CWE-425: Direct Request ('Forced Browsing') |
| EPSS | 0.99937 (99.968th percentile) |
| KEV | Yes — Added 2022-03-28 |
| EU Exploited | Yes — EUVD-2021-12906, since 2022-03-28 |
Summary
CVE-2021-26085 is a pre-authentication arbitrary file read vulnerability in Atlassian Confluence Server and Data Center. The issue resides in the /s/ endpoint, which fails to enforce proper access controls before serving restricted resources. An unauthenticated remote attacker can exploit this flaw to read arbitrary files from the host, potentially exposing sensitive configuration data, credentials, or source code.
Background
Atlassian Confluence is a widely deployed enterprise collaboration platform used for documentation, knowledge management, and team workspaces. The /s/ endpoint is part of Confluence's static resource serving mechanism, intended to deliver web assets such as JavaScript, CSS, and images. In affected versions, this endpoint does not adequately validate whether the requested file should be accessible without authentication, creating a direct-request vulnerability that bypasses authorization checks.
Root Cause
The vulnerability is classified under CWE-425: Direct Request ('Forced Browsing'). The /s/ endpoint accepts file paths and serves content without verifying that the requesting user has the necessary privileges to access the requested resource. This design flaw allows an attacker to craft HTTP requests pointing to files outside the intended public static asset scope, effectively turning the endpoint into an unauthenticated file-read primitive. The absence of proper path validation and authorization enforcement is the core root cause.
Impact
The CVSS v3.1 score of 5.3 (MEDIUM) reflects the following metrics:
- Attack Vector (AV): Network — Exploitable remotely without network-level mitigations.
- Attack Complexity (AC): Low — No special conditions or advanced techniques required.
- Privileges Required (PR): None — Fully unauthenticated.
- User Interaction (UI): None — No victim interaction needed.
- Scope (S): Unchanged — Impact remains within the vulnerable component.
- Confidentiality (C): Low — Sensitive information may be exposed.
- Integrity (I): None — No direct data modification capability.
- Availability (A): None — No denial-of-service impact.
While the base score is Medium, the near-certain probability of exploitation (EPSS 0.99937) and active inclusion in the CISA KEV catalog elevate operational risk significantly. Confluence instances are frequently internet-facing, and the unauthenticated nature of this flaw makes large-scale scanning and exploitation trivial.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive and detection purposes only. No weaponized exploit code is included. Security practitioners should use this information to validate patches, tune detection rules, and perform authorized assessments.
An attacker sends an unauthenticated HTTP GET request to the vulnerable Confluence instance targeting the /s/ endpoint with a relative path to a sensitive file. Because the endpoint does not enforce authorization, the server returns the file contents in the HTTP response body. Common targets include:
- Configuration files containing database credentials or LDAP bind passwords
web.xmland other deployment descriptors revealing servlet mappings and security constraints- Source code or compiled class files that expose business logic or additional attack surface
- Operating-system files that may leak environment details or secrets
The exploitation requires only a standard web client and knowledge of the target file path. No authentication tokens, session cookies, or elevated privileges are necessary.
Affected and Patched Versions
| Status | Versions |
|---|---|
| Affected | Confluence Server / Data Center before 7.4.10 |
| Affected | Confluence Server / Data Center from 7.5.0 before 7.12.3 |
| Patched | 7.4.10 and later in the 7.4 LTS line |
| Patched | 7.12.3 and later in the 7.12 line |
Administrators should consult the Atlassian Security Advisory and release notes for their specific deployment track to confirm the correct patched version.
Remediation
- Upgrade immediately. Apply the latest patched version for your Confluence release track. Atlassian has released fixes that enforce proper authorization on the
/s/endpoint. - Compensating controls (if immediate patching is not feasible):
- Place the Confluence instance behind a reverse proxy or Web Application Firewall (WAF) and implement strict URL filtering rules to block malicious
/s/traversal patterns. - Restrict network access to Confluence to trusted IP ranges or VPN segments.
- Monitor for and block repeated unauthenticated requests to
/s/containing path traversal indicators (e.g.,../, encoded traversal sequences).
- Place the Confluence instance behind a reverse proxy or Web Application Firewall (WAF) and implement strict URL filtering rules to block malicious
- Credential rotation. If exploitation is suspected, rotate all credentials stored in Confluence configuration files, database connection strings, and integrated directory services.
Detection
- Web server / proxy logs: Look for unauthenticated GET requests to
/s/returning HTTP 200 responses with unusually large or unexpected content types. - Intrusion detection signatures: Tune IDS/IPS rules to flag requests to
/s/that contain path traversal sequences or target known sensitive filenames (web.xml,.properties,.config, etc.). - File integrity monitoring: Alert on unexpected reads or access patterns in Confluence installation directories.
- Threat intelligence feeds: Correlate source IPs against known exploit-kit infrastructure and scanner pools.
Assessment
CVE-2021-26085 is a textbook example of how a single missing authorization check on a common endpoint can expose an entire application stack. The EPSS score of 0.99937 places this vulnerability in the highest tier of observed exploitability, and its inclusion in both the CISA KEV catalog and the EU Vulnerability Database confirms active, real-world abuse. Despite a modest CVSS base score of 5.3, the unauthenticated nature of the flaw and the prevalence of internet-facing Confluence instances make this a critical patching priority in practice.
Key lessons:
- Static resource endpoints need authorization too. Developers often harden primary application routes while overlooking auxiliary endpoints such as
/s/,/static/, or/resources/. Every exposed URL path must have an explicit access-control decision. - CVSS is not the whole story. A Medium CVSS rating does not preclude mass exploitation. Combine base scores with EPSS, KEV status, and your own exposure analysis to prioritize remediation effectively.
References
Frequently asked questions
- What is CVE-2021-26085?
- Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.
- How severe is CVE-2021-26085?
- CVE-2021-26085 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2021-26085 being actively exploited?
- Yes. CVE-2021-26085 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-28, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-26085?
- CVE-2021-26085 primarily affects Atlassian Confluence Data Center. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-26085?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-26085 have an EU (EUVD) identifier?
- Yes. CVE-2021-26085 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-12906. It is also flagged as exploited in the EUVD (since 2022-03-28).
- When was CVE-2021-26085 published?
- CVE-2021-26085 was published on 2021-08-03 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html
- https://jira.atlassian.com/browse/CONFSERVER-67893
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26085
Affected products (2)
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
More vulnerabilities in Atlassian Confluence Data Center
- CVE-2023-22527 — Critical (CVSS 9.8): A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated…
- CVE-2023-22518 — Critical (CVSS 9.8): All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper…
- CVE-2023-22515 — Critical (CVSS 9.8): Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have…
- CVE-2022-26136 — Critical (CVSS 9.8): A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used…
- CVE-2022-26134 — Critical (CVSS 9.8): In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an…
- CVE-2021-26084 — Critical (CVSS 9.8): In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an…
All CVEs affecting Atlassian Confluence Data Center →
Other CWE-425 vulnerabilities
- CVE-2025-26689 — Critical (CVSS 9.8): Direct request ('Forced Browsing') issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If a remote…
- CVE-2024-0204 — Critical (CVSS 9.8): Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via…
- CVE-2022-45276 — Critical (CVSS 9.8): An issue in the /index/user/user_edit.html component of YJCMS v1.0.9 allows unauthenticated attackers to obtain the…
- CVE-2022-26279 — Critical (CVSS 9.8): EyouCMS v1.5.5 was discovered to have no access control in the component /data/sqldata.
- CVE-2021-36560 — Critical (CVSS 9.8): Phone Shop Sales Managements System using PHP with Source Code 1.0 is vulnerable to authentication bypass which leads…
- CVE-2021-36745 — Critical (CVSS 9.8): A vulnerability in Trend Micro ServerProtect for Storage 6.0, ServerProtect for EMC Celerra 5.8, ServerProtect for…