CVE-2021-26085

CVE-2021-26085 is a medium-severity vulnerability in Atlassian Confluence Data Center with a CVSS 3.x base score of 5.3. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-28). The underlying weakness is classified as CWE-425.

Key facts

Description

Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.

CVE-2021-26085: Atlassian Confluence Server Pre-Auth Arbitrary File Read via /s/ Endpoint

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2021-26085
Published 2021-08-03
CVSS v3.1 5.3 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS v2 5.0 — AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE CWE-425: Direct Request ('Forced Browsing')
EPSS 0.99937 (99.968th percentile)
KEV Yes — Added 2022-03-28
EU Exploited Yes — EUVD-2021-12906, since 2022-03-28

Summary

CVE-2021-26085 is a pre-authentication arbitrary file read vulnerability in Atlassian Confluence Server and Data Center. The issue resides in the /s/ endpoint, which fails to enforce proper access controls before serving restricted resources. An unauthenticated remote attacker can exploit this flaw to read arbitrary files from the host, potentially exposing sensitive configuration data, credentials, or source code.

Background

Atlassian Confluence is a widely deployed enterprise collaboration platform used for documentation, knowledge management, and team workspaces. The /s/ endpoint is part of Confluence's static resource serving mechanism, intended to deliver web assets such as JavaScript, CSS, and images. In affected versions, this endpoint does not adequately validate whether the requested file should be accessible without authentication, creating a direct-request vulnerability that bypasses authorization checks.

Root Cause

The vulnerability is classified under CWE-425: Direct Request ('Forced Browsing'). The /s/ endpoint accepts file paths and serves content without verifying that the requesting user has the necessary privileges to access the requested resource. This design flaw allows an attacker to craft HTTP requests pointing to files outside the intended public static asset scope, effectively turning the endpoint into an unauthenticated file-read primitive. The absence of proper path validation and authorization enforcement is the core root cause.

Impact

The CVSS v3.1 score of 5.3 (MEDIUM) reflects the following metrics:

  • Attack Vector (AV): Network — Exploitable remotely without network-level mitigations.
  • Attack Complexity (AC): Low — No special conditions or advanced techniques required.
  • Privileges Required (PR): None — Fully unauthenticated.
  • User Interaction (UI): None — No victim interaction needed.
  • Scope (S): Unchanged — Impact remains within the vulnerable component.
  • Confidentiality (C): Low — Sensitive information may be exposed.
  • Integrity (I): None — No direct data modification capability.
  • Availability (A): None — No denial-of-service impact.

While the base score is Medium, the near-certain probability of exploitation (EPSS 0.99937) and active inclusion in the CISA KEV catalog elevate operational risk significantly. Confluence instances are frequently internet-facing, and the unauthenticated nature of this flaw makes large-scale scanning and exploitation trivial.

Exploitation Walkthrough

Ethics Notice: The following description is provided for defensive and detection purposes only. No weaponized exploit code is included. Security practitioners should use this information to validate patches, tune detection rules, and perform authorized assessments.

An attacker sends an unauthenticated HTTP GET request to the vulnerable Confluence instance targeting the /s/ endpoint with a relative path to a sensitive file. Because the endpoint does not enforce authorization, the server returns the file contents in the HTTP response body. Common targets include:

  • Configuration files containing database credentials or LDAP bind passwords
  • web.xml and other deployment descriptors revealing servlet mappings and security constraints
  • Source code or compiled class files that expose business logic or additional attack surface
  • Operating-system files that may leak environment details or secrets

The exploitation requires only a standard web client and knowledge of the target file path. No authentication tokens, session cookies, or elevated privileges are necessary.

Affected and Patched Versions

Status Versions
Affected Confluence Server / Data Center before 7.4.10
Affected Confluence Server / Data Center from 7.5.0 before 7.12.3
Patched 7.4.10 and later in the 7.4 LTS line
Patched 7.12.3 and later in the 7.12 line

Administrators should consult the Atlassian Security Advisory and release notes for their specific deployment track to confirm the correct patched version.

Remediation

  1. Upgrade immediately. Apply the latest patched version for your Confluence release track. Atlassian has released fixes that enforce proper authorization on the /s/ endpoint.
  2. Compensating controls (if immediate patching is not feasible):
    • Place the Confluence instance behind a reverse proxy or Web Application Firewall (WAF) and implement strict URL filtering rules to block malicious /s/ traversal patterns.
    • Restrict network access to Confluence to trusted IP ranges or VPN segments.
    • Monitor for and block repeated unauthenticated requests to /s/ containing path traversal indicators (e.g., ../, encoded traversal sequences).
  3. Credential rotation. If exploitation is suspected, rotate all credentials stored in Confluence configuration files, database connection strings, and integrated directory services.

Detection

  • Web server / proxy logs: Look for unauthenticated GET requests to /s/ returning HTTP 200 responses with unusually large or unexpected content types.
  • Intrusion detection signatures: Tune IDS/IPS rules to flag requests to /s/ that contain path traversal sequences or target known sensitive filenames (web.xml, .properties, .config, etc.).
  • File integrity monitoring: Alert on unexpected reads or access patterns in Confluence installation directories.
  • Threat intelligence feeds: Correlate source IPs against known exploit-kit infrastructure and scanner pools.

Assessment

CVE-2021-26085 is a textbook example of how a single missing authorization check on a common endpoint can expose an entire application stack. The EPSS score of 0.99937 places this vulnerability in the highest tier of observed exploitability, and its inclusion in both the CISA KEV catalog and the EU Vulnerability Database confirms active, real-world abuse. Despite a modest CVSS base score of 5.3, the unauthenticated nature of the flaw and the prevalence of internet-facing Confluence instances make this a critical patching priority in practice.

Key lessons:

  1. Static resource endpoints need authorization too. Developers often harden primary application routes while overlooking auxiliary endpoints such as /s/, /static/, or /resources/. Every exposed URL path must have an explicit access-control decision.
  2. CVSS is not the whole story. A Medium CVSS rating does not preclude mass exploitation. Combine base scores with EPSS, KEV status, and your own exposure analysis to prioritize remediation effectively.

References

Frequently asked questions

What is CVE-2021-26085?
Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint. The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.
How severe is CVE-2021-26085?
CVE-2021-26085 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2021-26085 being actively exploited?
Yes. CVE-2021-26085 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-28, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-26085?
CVE-2021-26085 primarily affects Atlassian Confluence Data Center. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-26085?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-26085 have an EU (EUVD) identifier?
Yes. CVE-2021-26085 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-12906. It is also flagged as exploited in the EUVD (since 2022-03-28).
When was CVE-2021-26085 published?
CVE-2021-26085 was published on 2021-08-03 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Atlassian Confluence Data Center

All CVEs affecting Atlassian Confluence Data Center →

Other CWE-425 vulnerabilities

Browse all CWE-425 vulnerabilities →