Safeguard
Vulnerability Analysis

Confluence CVE-2021-26084 Explained: The Webwork OGNL Injection RCE

CVE-2021-26084 is an unauthenticated OGNL injection in Confluence Server and Data Center that allows remote code execution, rated CVSS 9.8. Here is the timeline, root cause, detection, and patched versions.

Marcus Chen
Security Researcher
5 min read

Confluence is where organizations keep their institutional memory, which makes a Confluence server a rich target and an unusually trusted position inside a network. CVE-2021-26084 turned that target into an easy one: an unauthenticated OGNL injection in Confluence Server and Data Center that let anyone who could reach the login page run code on the server. Atlassian disclosed it on August 25, 2021, and the NVD rates it CVSS 3.1 9.8 (Critical).

ID and severity

CVE-2021-26084 is a server-side OGNL (Object-Graph Navigation Language) injection vulnerability in a Confluence Webwork action. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H: network-reachable, low complexity, no privileges, no user interaction, with full compromise. Although Atlassian initially described certain configurations as requiring authentication, researchers quickly demonstrated fully unauthenticated exploitation, which is why the flaw is treated as pre-auth RCE.

Timeline and impact

Atlassian published the advisory and fixed versions on August 25, 2021. Public proof-of-concept code appeared by August 31, and widespread exploitation began around September 1, 2021, with much of the early activity dropping cryptocurrency miners. U.S. Cyber Command issued a rare public warning urging immediate patching over the following days, and CISA later added the flaw to its Known Exploited Vulnerabilities catalog.

The impact was broad because Confluence Server and Data Center are self-hosted, so patching depended entirely on each organization's own operations team. Many instances were internet-facing to support remote collaboration, and coin miners were only the opening act; the same access supported credential theft and lateral movement.

Root cause

Confluence pages support macros and variables, and some request parameters flow into server-side templates rendered by the Velocity engine, which can evaluate OGNL expressions. OGNL is a powerful expression language that can navigate object graphs and, critically, invoke methods, including methods that reach the Java runtime.

Confluence tried to defend against this with a denylist that blocked common class and property names attackers use to reach code execution. The problem with denylists is that they enumerate badness, and attackers only need one path the list forgot. Researchers found that Java array accessors and certain reflection paths were not blocked, so a crafted expression could bypass the filter and reach a method that executes an operating-system command.

A safe, high-level illustration of the injected expression, kept inside a code fence so its syntax is not interpreted:

# attacker-supplied OGNL, conceptually:
#{ (evaluate an expression that resolves the Java Runtime) }
#{ (invoke exec with an attacker command) }

The vulnerable request targeted an action such as the page-variables endpoint, where the tainted parameter reached the OGNL evaluator. The root cause is the classic combination of a dynamic expression language evaluating untrusted input, guarded by a denylist that could not enumerate every dangerous construct.

Detection

  • Inventory every Confluence Server and Data Center instance and record the exact version. Confluence Cloud is not affected.
  • Identify which instances are reachable from untrusted networks; internet-facing Confluence is the top priority.
  • Review web access logs for requests to the vulnerable Webwork endpoints containing OGNL-like expression syntax, especially around late August and September 2021.
  • Hunt for post-exploitation artifacts: unexpected processes spawned by the Confluence service account, miner binaries, new cron entries, and outbound connections to mining pools or unknown hosts.

Remediation and patched versions

Upgrade to a fixed Confluence release. Atlassian's patched versions are 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0 (and later). The affected ranges are all versions before 6.13.23, 6.14.0 up to but not including 7.4.11, 7.5.0 up to but not including 7.11.6, and 7.12.0 up to but not including 7.12.5.

Atlassian also published a temporary mitigation script for administrators who could not upgrade immediately, but a script that edits classpath resources is fragile; upgrading is the authoritative fix. After patching, investigate any instance that was internet-facing, because early miners were frequently followed by more serious footholds.

How Safeguard helps

Confluence Server is packaged software your team deploys and versions, which is squarely in scope for supply chain tooling. Safeguard's software composition analysis fingerprints the Confluence and library versions in your build and deployment artifacts and flags CVE-2021-26084 against the KEV catalog, so it surfaces at the top of the queue rather than as one row among thousands. For the dependencies you own directly, auto-fix proposes and opens the version bump so the upgrade is a review-and-merge rather than a research project, and the Safeguard CLI enforces a KEV gate in CI/CD so a known-exploited build cannot ship. When the advisory is dense, Griffin AI distills the affected ranges and fix path into a plain-language brief.

Self-hosted software only stays safe if someone is tracking its version the day the advisory lands. Get started free or read the documentation.

Frequently Asked Questions

What is CVE-2021-26084?

It is a server-side OGNL injection vulnerability in a Confluence Server and Data Center Webwork action that allows an unauthenticated attacker to execute arbitrary code on the server by sending a crafted request. It is rated CVSS 9.8 (Critical).

Which Confluence versions are affected and which are patched?

Affected versions include everything before 6.13.23, the 6.14.0 through pre-7.4.11 range, 7.5.0 through pre-7.11.6, and 7.12.0 through pre-7.12.5. Fixed versions are 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0 and later. Confluence Cloud is not affected.

Was CVE-2021-26084 exploited in the wild?

Yes. Public exploit code appeared by August 31, 2021, and mass exploitation began around September 1, initially delivering cryptocurrency miners. U.S. Cyber Command publicly urged immediate patching, and the flaw is listed in the CISA Known Exploited Vulnerabilities catalog.

Why did Confluence's input filtering fail to stop it?

Confluence used a denylist to block known-dangerous class and property names in OGNL expressions, but denylists cannot enumerate every dangerous construct. Researchers found unblocked paths, such as Java array accessors, that let a crafted expression bypass the filter and reach code execution. Upgrading to a patched version is the reliable fix.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.