CVE-2021-26073 – This vulnerability allows attackers to bypass a... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to bypass authentication in Atlassian Connect Express (ACE) by sending context JWTs to lifecycle endpoints where only server-to-server JWTs should be accepted. This permits attackers to send authenticated re-installation events to an app, potentially compromising app integrity. Affected are ACE versions from 3.0.2 before 6.6.0.

💻 Affected Systems

Products:

Atlassian Connect Express (ACE)

Versions: 3.0.2 to 6.5.x

Operating Systems: Any OS running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects ACE apps using JWT authentication with lifecycle endpoints exposed.

📦 What is this software?

Connect Express by Atlassian

View all CVEs affecting Connect Express →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could force re-installation of malicious apps, potentially gaining unauthorized access to Atlassian product data or executing arbitrary code in the app context.

🟠

Likely Case

Attackers could disrupt app functionality, install unauthorized apps, or manipulate app configurations to gain access to sensitive data.

🟢

If Mitigated

With proper JWT validation and network segmentation, impact is limited to app disruption rather than full system compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires understanding of JWT tokens and ACE endpoints but is straightforward for attackers with access to valid context JWTs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.6.0

Vendor Advisory: https://confluence.atlassian.com/pages/viewpage.action?pageId=1051986099

Restart Required: Yes

Instructions:

1. Update Atlassian Connect Express to version 6.6.0 or later using npm: npm update atlassian-connect-express
2. Restart your Node.js application
3. Verify the update with: npm list atlassian-connect-express

🔧 Temporary Workarounds

Restrict lifecycle endpoint access

all

Implement network-level restrictions to limit access to ACE lifecycle endpoints only from trusted Atlassian product IPs.

Manual JWT validation

all

Implement custom middleware to validate JWT types before processing lifecycle endpoint requests.

🧯 If You Can't Patch

Implement strict network segmentation to isolate ACE apps from untrusted networks
Monitor and alert on unusual installation/re-installation events in app logs

🔍 How to Verify

Check if Vulnerable:

Check your package.json or run: npm list atlassian-connect-express | grep atlassian-connect-express

Check Version:

npm list atlassian-connect-express | grep atlassian-connect-express

Verify Fix Applied:

Verify installed version is 6.6.0 or higher: npm list atlassian-connect-express

📡 Detection & Monitoring

Log Indicators:

Multiple installation events from same source
Installation events with context JWTs instead of server-to-server JWTs
Unusual timing of app re-installations

Network Indicators:

HTTP POST requests to /installed or /uninstalled endpoints from unexpected sources
JWT token validation failures in logs

SIEM Query:

source="ace-app-logs" AND (event="installed" OR event="uninstalled") AND count() > threshold

📊 Metadata

CVE ID: CVE-2021-26073

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

CWE: CWE-287

Published: April 16, 2021

Last Updated: February 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26073, you might also want to check these: