CVE-2021-26084 – CVE-2021-26084 is a critical OGNL injection vul... (How to Fix)

Q: What is the severity of CVE-2021-26084?

CVE-2021-26084 has a CVSS score of 9.8 (CRITICAL). CVE-2021-26084 is a critical OGNL injection vulnerability in Confluence Server and Data Center that allows unauthenticated attackers to execute arbitrary code on vulnerable instances. This affects organizations running affected versions of Confluence, potentially leading to complete system compromise. The vulnerability is actively exploited in the wild.

📋 TL;DR

CVE-2021-26084 is a critical OGNL injection vulnerability in Confluence Server and Data Center that allows unauthenticated attackers to execute arbitrary code on vulnerable instances. This affects organizations running affected versions of Confluence, potentially leading to complete system compromise. The vulnerability is actively exploited in the wild.

💻 Affected Systems

Products:

Confluence Server
Confluence Data Center

Versions: Before 6.13.23, 6.14.0-7.4.10, 7.5.0-7.11.5, 7.12.0-7.12.4

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with attacker gaining full administrative control, data exfiltration, ransomware deployment, and lateral movement to other systems.

🟠

Likely Case

Initial foothold leading to web shell installation, credential theft, and deployment of cryptocurrency miners or backdoors.

🟢

If Mitigated

Attack blocked at network perimeter or detected by security controls before successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts available. Actively exploited by threat actors including ransomware groups.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.13.23, 7.4.11, 7.11.6, 7.12.5 or later

Vendor Advisory: https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

Restart Required: Yes

Instructions:

1. Backup your Confluence instance. 2. Download appropriate fixed version from Atlassian downloads. 3. Stop Confluence service. 4. Apply patch/upgrade. 5. Restart Confluence service. 6. Verify successful upgrade.

🔧 Temporary Workarounds

Block vulnerable endpoints

all

Block access to /pages/doenterpagevariables.action and similar vulnerable endpoints via web application firewall or reverse proxy

# Example nginx location block:
location ~* /pages/doenterpagevariables\.action {
    deny all;
    return 403;
}

Network segmentation

linux

Restrict Confluence access to trusted networks only

# Example iptables rule:
iptables -A INPUT -p tcp --dport 8090 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8090 -j DROP

🧯 If You Can't Patch

Immediately isolate affected systems from internet and untrusted networks
Implement strict network segmentation and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Confluence version via admin interface or by examining confluence/WEB-INF/lib/confluence-x.x.x.jar version

Check Version:

grep -o 'confluence-[0-9.]*\.jar' /opt/atlassian/confluence/confluence/WEB-INF/lib/confluence-*.jar

Verify Fix Applied:

Verify version is 6.13.23+, 7.4.11+, 7.11.6+, or 7.12.5+ and test vulnerable endpoints return error

📡 Detection & Monitoring

Log Indicators:

POST requests to /pages/doenterpagevariables.action with OGNL payloads
Unusual Java process execution
Web shell deployment in web directories

Network Indicators:

Outbound connections to suspicious IPs from Confluence server
Unusual HTTP POST patterns to Confluence

SIEM Query:

source="confluence.log" AND (uri_path="/pages/doenterpagevariables.action" OR message="OGNL" OR message="Expression")

📊 Metadata

CVE ID: CVE-2021-26084

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-917

Published: August 30, 2021

Last Updated: October 24, 2025

🔗 References

http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://jira.atlassian.com/browse/CONFSERVER-67940 Issue Tracking,Patch,Vendor Advisory
http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://jira.atlassian.com/browse/CONFSERVER-67940 Issue Tracking,Patch,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26084 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26084, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Server by Atlassian

Confluence Server by Atlassian

Confluence Server by Atlassian

Confluence Server by Atlassian

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Block vulnerable endpoints

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities