CVE-2021-26084 Overview
CVE-2021-26084 is a critical OGNL (Object-Graph Navigation Language) injection vulnerability affecting Atlassian Confluence Server and Data Center. This vulnerability allows an unauthenticated attacker to execute arbitrary code on vulnerable Confluence instances by exploiting improper input validation in the OGNL expression handling mechanism. The vulnerability requires no authentication and can be exploited remotely over the network, making it extremely dangerous for internet-exposed Confluence deployments.
Critical Impact
This vulnerability enables unauthenticated remote code execution on Confluence Server and Data Center instances, allowing attackers to completely compromise affected systems without any prior access.
Affected Products
- Atlassian Confluence Server (versions before 6.13.23)
- Atlassian Confluence Server (versions 6.14.0 before 7.4.11, 7.5.0 before 7.11.6, 7.12.0 before 7.12.5)
- Atlassian Confluence Data Center (versions before 6.13.23)
- Atlassian Confluence Data Center (versions 6.14.0 before 7.4.11, 7.5.0 before 7.11.6, 7.12.0 before 7.12.5)
Discovery Timeline
- 2021-08-30 - CVE-2021-26084 published to NVD
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2021-26084
Vulnerability Analysis
CVE-2021-26084 is classified under CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement), commonly known as Expression Language Injection. The vulnerability exists in the way Confluence Server and Data Center processes user-supplied input through OGNL expressions. OGNL is a powerful expression language that allows access to Java objects and methods, making it a prime target for exploitation when input validation is insufficient.
The attack can be executed remotely over the network without any authentication requirements, user interaction, or elevated privileges. Successful exploitation grants attackers complete control over the confidentiality, integrity, and availability of the target system, enabling them to execute arbitrary commands with the privileges of the Confluence application service account.
This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The high EPSS score of 94.44% (99.988th percentile) indicates an extremely high probability of exploitation, making immediate remediation essential.
Root Cause
The root cause of this vulnerability lies in improper input sanitization within the OGNL expression evaluation context. Confluence uses OGNL for various template processing and data binding operations. When user-controlled input reaches the OGNL evaluation engine without proper sanitization, attackers can inject malicious OGNL expressions that execute arbitrary Java code on the server.
The vulnerability specifically affects how certain HTTP request parameters are processed before being evaluated as OGNL expressions. The lack of proper input validation allows attackers to break out of the intended context and inject commands that are then executed by the Java runtime.
Attack Vector
The attack vector for CVE-2021-26084 is network-based, targeting specific Confluence endpoints that process OGNL expressions. Attackers craft specially formatted HTTP requests containing malicious OGNL payloads that exploit the injection point. When the vulnerable Confluence instance processes these requests, the injected OGNL expressions are evaluated, resulting in arbitrary code execution on the underlying server.
The exploitation typically involves sending crafted POST requests to vulnerable Confluence endpoints. The malicious payload contains OGNL expressions that invoke Java runtime classes to execute system commands. Since Confluence often runs with elevated privileges and has access to sensitive organizational data, successful exploitation can lead to data exfiltration, lateral movement, ransomware deployment, and complete infrastructure compromise.
For detailed technical information about the exploitation mechanism, refer to the Packet Storm Exploit Report and the Atlassian Security Advisory.
Detection Methods for CVE-2021-26084
Indicators of Compromise
- Unusual POST requests to Confluence endpoints containing OGNL syntax such as %{, ${, or Java class references like java.lang.Runtime
- Process spawning from the Confluence Java process, particularly shell processes (/bin/sh, cmd.exe) or common reconnaissance tools
- Unexpected network connections originating from the Confluence server to external IP addresses
- New or modified files in Confluence installation directories, especially webshells or backdoor scripts
- Log entries showing error messages related to OGNL expression evaluation failures
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests containing OGNL injection patterns and Java class invocations
- Monitor Confluence access logs for suspicious request patterns targeting known vulnerable endpoints
- Deploy endpoint detection and response (EDR) solutions to detect anomalous process creation from Java applications
- Utilize network intrusion detection systems (IDS) to identify exploitation attempts based on known payload signatures
Monitoring Recommendations
- Enable detailed access logging on Confluence instances and forward logs to a centralized SIEM for analysis
- Configure alerts for any child processes spawned by the Confluence Java process that are not part of normal operations
- Monitor for outbound network connections from Confluence servers to unknown or suspicious external destinations
- Implement file integrity monitoring on Confluence installation directories to detect unauthorized modifications
How to Mitigate CVE-2021-26084
Immediate Actions Required
- Immediately update Confluence Server and Data Center to patched versions: 6.13.23, 7.4.11, 7.11.6, 7.12.5, or later
- If immediate patching is not possible, restrict network access to Confluence instances to trusted networks only
- Review system and application logs for indicators of compromise before and after patching
- Consider taking internet-facing Confluence instances offline until patches can be applied
- Conduct a thorough security assessment of affected systems to identify any signs of prior exploitation
Patch Information
Atlassian has released security patches to address CVE-2021-26084. Organizations should upgrade to the following fixed versions or later:
- Version 6.13.23 for the 6.x branch
- Version 7.4.11 for the 7.4.x branch
- Version 7.11.6 for the 7.11.x branch
- Version 7.12.5 for the 7.12.x branch
Detailed patch information and upgrade instructions are available in the Atlassian Security Advisory CONFSERVER-67940. Organizations should prioritize this update given the critical severity and confirmed active exploitation of this vulnerability as documented in the CISA Known Exploited Vulnerabilities Catalog.
Workarounds
- Restrict network access to Confluence by implementing firewall rules that limit connectivity to trusted IP ranges only
- Place Confluence behind a reverse proxy with WAF capabilities configured to block OGNL injection patterns
- Disable or restrict access to the affected Confluence endpoints if they are not required for business operations
- Consider temporarily disabling Confluence's internet exposure until patching can be completed
# Example: Restrict access to Confluence using iptables
# Allow access only from trusted internal network
iptables -A INPUT -p tcp --dport 8090 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8090 -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 8090 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
