Skip to main content Skip to local navigation

Service Advisory - CVE-2021-26084 - Confluence Server Webwork OGNL injection

Service Advisory - CVE-2021-26084 - Confluence Server Webwork OGNL injection


A picture containing text  Description automatically generated


Service Advisory


Please share the following information with your teams.


Information Security has noticed a recent critical vulnerability (CVE-2021-26084) for confluence servers and Data center exploited in the wild. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted request to vulnerable endpoints on the Confluence Server or Data Center instance.


Severity level 

CVSS Score: (Critical) 9.8



The vulnerability permits the injection of OGNL code and thus execution of arbitrary code on computers with Confluence Server or Confluence Data Center installed. In some cases, even a user who is not authenticated can exploit the vulnerability.


Affected Versions :- All 4.x.x versions, All 5.x.x versions, All 6.0.x versions, All 6.1.x versions, All 6.2.x versions, All 6.3.x versions, All 6.4.x versions, All 6.5.x versions, All 6.6.x versions , All 6.7.x versions, All 6.8.x versions,        All 6.9.x versions, All 6.10.x versions, All 6.11.x versions, All 6.12.x versions, All 6.13.x versions before 6.13.23, All 6.14.x versions , All 6.15.x versions, All 7.0.x versions, All 7.1.x versions, All 7.2.x versions, All 7.3.x versions, All 7.4.x versions before 7.4.11, All 7.5.x versions, All 7.6.x versions, All 7.7.x versions, All 7.8.x versions, All 7.9.x versions, All 7.10.x versions, All 7.11.x versions before 7.11.6, All 7.12.x versions before 7.12.5.

Confluence Cloud is not affected



A remote attacker could exploit this vulnerability to take control of an affected system.



Atlassian has released patches for CVE-2021-26084

Update to the fixed versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, 7.13.0.





UIT Client Services at or 416 736 5800


This email was sent by: York University, 4700 Keele Street, Toronto, Ontario M3J 1P3

This email is viewed best in Microsoft Outlook for web