CVE-2021-26085

What is Atlassian Confluence?

Atlassian Confluence is an enterprise collaboration and wiki platform used by organizations to create, share, and collaborate on documentation, project planning, and internal knowledge bases. Confluence Server and Data Center run on-premises and contain an organization's most sensitive internal documentation — architecture diagrams, security policies, credentials documentation, product roadmaps, and other confidential materials. Confluence's web application serves both public (pre-authentication) and restricted (post-authentication) resources. Vulnerabilities that bypass authentication to access restricted resources can expose sensitive organizational documents to unauthenticated external attackers.

Overview

CVE-2021-26085 is a pre-authorization arbitrary file read vulnerability (CWE-425, Direct Request / Forced Browsing) in Atlassian Confluence Server. The /s/ endpoint that serves static web content can be used to access restricted resources that normally require authentication — by crafting specific requests to this endpoint, unauthenticated attackers can read files that should only be accessible after login. This allows reconnaissance of Confluence's file structure and potentially exposes application configuration files. Despite a moderate CVSS score, the ransomwareUse flag reflects that CVE-2021-26085 was observed in ransomware operator reconnaissance chains — alongside the much more severe CVE-2021-26084 (Confluence OGNL injection RCE) — to map Confluence deployments before exploitation.

Affected Versions

Technical Details

• Root cause: Direct Request / Forced Browsing (CWE-425) — the /s/ endpoint in Confluence serves static resources and does not properly enforce authentication requirements for all resource types; by directly requesting specific paths via the /s/ endpoint, an unauthenticated user can access resources (configuration files, pages, or application data) that should require a valid Confluence session
• Pre-authorization access: PR:N/UI:N — no credentials or user interaction are required; the vulnerability is exploitable in a single unauthenticated HTTP request
• Information disclosure as reconnaissance: File read access to Confluence's application structure (including WEB-INF contents or other configuration files) provides attackers with information about the Confluence deployment, credentials, or database configuration that can be used to plan further exploitation
• Ransomware use context: CVE-2021-26085 was observed alongside the critical CVE-2021-26084 (Confluence OGNL injection, unauthenticated RCE, CVSS 9.8) in ransomware pre-attack reconnaissance; attackers used CVE-2021-26085 to identify and fingerprint Confluence instances before using CVE-2021-26084 for actual compromise
• CISA KEV gap: CISA added CVE-2021-26085 in March 2022 (8 months after patch), coinciding with increased Confluence targeting following public exploitation of CVE-2021-26084 and CVE-2022-26134 (another critical Confluence RCE)

Discovery

Reported to Atlassian and patched in July 2021 alongside CVE-2021-26086 (Jira path traversal), suggesting coordinated security review of Atlassian products' static resource endpoints. CISA's March 2022 KEV addition reflects exploitation observed in ransomware operator reconnaissance and attack chains against Confluence deployments.

Exploitation Context

Atlassian Confluence is a common target in enterprise ransomware attacks because: (1) it is widely internet-exposed by organizations for remote collaboration, (2) it contains valuable sensitive documentation that ransomware operators exfiltrate for extortion leverage, and (3) it frequently runs on Windows servers that are valuable targets for lateral movement. CVE-2021-26085 provides reconnaissance capability (file read access) that complements the more severe CVE-2021-26084 (OGNL injection RCE) — ransomware operators in 2021-2022 systematically exploited Confluence vulnerabilities as part of initial access and data exfiltration operations.

Remediation

1. Upgrade Confluence Server/Data Center to 7.4.10, 7.12.3, or any later version — patches CVE-2021-26085
2. Also apply patches for CVE-2021-26084 (OGNL injection, CVSS 9.8) — more critical and exploitable in the same Confluence versions
3. Restrict internet access to Confluence: Confluence should not be publicly internet-accessible without strong authentication; consider requiring VPN access or IP allowlisting for Confluence endpoints
4. Apply Atlassian's recommended security hardening: restrict outbound connections from Confluence server, limit permitted URL redirects, and enforce strong session management
5. Audit Confluence for indicators of compromise: unauthorized page access, unusual admin account activity, web shell files in Confluence's webapp directory
6. Migrate from Confluence Server (end-of-life February 2024) to Confluence Data Center or Confluence Cloud, which receive ongoing security support