CVE-2021-26084

What is Atlassian Confluence?

Atlassian Confluence is the world's most widely deployed enterprise wiki and collaboration platform — used by development teams, IT operations, and businesses to document projects, share knowledge, and collaborate. It integrates deeply with Jira and other Atlassian tools. Confluence stores an enormous amount of sensitive organizational knowledge: internal documentation, project specifications, credentials, system configurations, and strategic plans. Many organizations make Confluence internet-accessible for remote teams, creating a broad attack surface.

Overview

CVE-2021-26084 is a critical Object-Graph Navigation Language (OGNL) injection vulnerability (CWE-917) in Atlassian Confluence Server and Data Center. OGNL is the expression language used in Confluence's template system; when user-supplied input is evaluated as OGNL expressions without proper sanitization, an attacker can inject expressions that execute arbitrary Java code on the server. In certain configurations (Confluence instances with public user registration enabled), this vulnerability is exploitable without authentication. In other configurations, any authenticated user can exploit it. Mass exploitation began within days of the patch release.

Affected Versions

Technical Details

Confluence uses the OGNL expression language in its WebWork 2 framework for template rendering. Certain endpoints — particularly those involved in the Confluence page editor, macros, and widgets — evaluate user-supplied input as OGNL expressions without adequate neutralization:

• Injection vector: HTTP POST parameters containing OGNL expressions (e.g., ${...}) submitted to vulnerable Confluence endpoints
• Pre-auth exploitation: If Confluence has "Allow people to sign up to create their own account" enabled, the injection is reachable without authentication (can exploit registration flow)
• Authenticated exploitation: Any Confluence user (even with minimal permissions) can exploit this from authenticated endpoints
• Code execution: OGNL injection allows arbitrary Java code execution in the Confluence JVM context — equivalent to full OS command execution
• Execution context: Runs as the Confluence application server user (often with significant filesystem and database access)

Discovery

Reported by an anonymous researcher through Atlassian's bug bounty program. Atlassian coordinated disclosure with patch release. Mass exploitation within a week of the advisory demonstrates how quickly sophisticated actors weaponize Confluence vulnerabilities.

Exploitation Context

CVE-2021-26084 was one of the most rapidly mass-exploited vulnerabilities of 2021. Within days of the patch, threat intelligence firms observed internet-wide scanning and exploitation — cryptocurrency miners were deployed on compromised Confluence servers within 48 hours of public PoC availability. Ransomware operators also incorporated this for initial access. The Confluence knowledge base position — containing organizational secrets, project documentation, and often hardcoded credentials — makes it extremely valuable to both financial and espionage threat actors.

Remediation

1. Upgrade Confluence to the patched version for your release series immediately (see table above)
2. If immediate patching is not possible, apply Atlassian's provided mitigation script to disable the vulnerable OGNL evaluation
3. Check for deployed webshells in the Confluence home directory and web application directories
4. Review Confluence access logs for OGNL injection patterns in POST bodies (${, %{, or %24%7B URL-encoded patterns)
5. If public user registration is enabled, disable it unless required — this removes the pre-auth attack vector
6. Restrict internet access to Confluence if it doesn't need to be public-facing — require VPN for access