CVE-2021-26084 Explained: Confluence Server OGNL Injection and Mass Exploitation
A CVSS 9.8 pre-authentication OGNL injection vulnerability in Atlassian Confluence Server and Data Center. Weaponized within hours of disclosure. Used by ransomware groups and nation-state actors within days.
Founder & Cybersecurity Evangelist
CVE-2021-26084 is an OGNL (Object-Graph Navigation Language) server-side injection vulnerability in Atlassian Confluence Server and Data Center. Disclosed August 25, 2021, with a CVSS score of 9.8, it allows an unauthenticated attacker to inject and execute arbitrary OGNL expressions through HTTP query parameters, achieving remote code execution on the Confluence server.
The vulnerability attracted immediate, broad exploitation activity. CISA issued an emergency advisory within days. Mass scanning and exploitation were observed within hours of public proof-of-concept release. Ransomware operators, cryptomining groups, and nation-state actors all adopted the exploit within the first week.
The OGNL Injection: How CVE-2021-26084 Works
Atlassian Confluence uses OGNL as its expression language for rendering dynamic web content. The vulnerability exists in certain Confluence endpoints that process user-supplied query parameters without sufficient sanitization before passing them through the OGNL evaluation engine.
In affected versions, specific WebWork actions in Confluence allow unauthenticated HTTP requests to supply OGNL expressions directly in query parameters. Because the expressions are evaluated server-side in the context of the Confluence application, an attacker can break out of the template context and execute arbitrary Java code — including spawning OS processes.
On some configurations, exploitation requires no authentication whatsoever. On others, a valid Confluence account with no special permissions is sufficient. Atlassian's advisory initially framed authentication as required, then clarified that unauthenticated exploitation was possible on default-configured instances — significantly expanding the risk surface.
Affected versions include Confluence Server and Data Center before 6.13.23, before 7.4.11 (LTS), before 7.11.6, before 7.12.5, and before 7.13.0. Confluence Cloud instances were not affected.
Identify Confluence instances
Scan for Confluence Server/Data Center deployments. The Confluence login page exposes version information in HTML comments and JavaScript. Shodan and Censys indexes track exposed instances globally.
Probe for unauthenticated access
Send requests to vulnerable WebWork action endpoints without credentials. Unauthenticated exploitation is possible on default installations where the affected endpoint does not require login.
Inject OGNL expression
Supply a crafted OGNL expression as a query parameter value. The expression executes within the Confluence application context, with access to the Java runtime and system properties.
Execute OS command
Call Java's Runtime.exec() or ProcessBuilder from within the OGNL expression to execute arbitrary commands as the operating system user running the Confluence process.
Deploy implant or miner
First-wave exploitation commonly deployed cryptocurrency miners (XMRig variants) or web shells. Ransomware groups used the foothold for domain reconnaissance and network-wide encryption preparation.
Mass Exploitation: CVE-2021-26084 in the Wild
The exploitation timeline for CVE-2021-26084 was among the fastest observed for any enterprise vulnerability in 2021. Atlassian published the advisory on August 25. A proof-of-concept exploit appeared publicly on September 1. By September 2, CISA issued Advisory AA21-259A citing active exploitation at mass scale.
Threat actors who rapidly adopted CVE-2021-26084 included cryptocurrency mining groups deploying XMRig, multiple ransomware affiliates using the access for initial foothold and lateral movement, and nation-state groups — including actors attributed to Chinese cyber operations — conducting espionage-focused intrusions.
The rapid weaponization highlighted a persistent gap: organizations often treat collaboration tools like Confluence as lower-risk than perimeter infrastructure, resulting in delayed patching and less rigorous network segmentation around these systems. Confluence, however, frequently has privileged access to internal wikis, credentials, and network documentation that makes it a high-value target for both financially motivated and nation-state actors.
“CISA is aware of active exploitation of CVE-2021-26084 and strongly urges all organizations to apply Atlassian's patches immediately.”
— CISA Advisory AA21-259A, September 2021
Patching and Remediating CVE-2021-26084
Atlassian released fixed versions on August 25, 2021. All Confluence Server and Data Center deployments must be updated to a patched version. There is no workaround that fully mitigates the vulnerability short of upgrading.
Upgrade to a patched Confluence version
Upgrade to 6.13.23, 7.4.11, 7.11.6, 7.12.5, 7.13.0, or any later version. If running a version outside these supported ranges, upgrade to the latest LTS release. This is the only complete remediation.
Temporarily restrict public access if unable to patch immediately
If immediate upgrade is not possible, restrict internet access to the Confluence instance using network ACLs or a reverse proxy. Require VPN for access. This eliminates external exploitation while you prepare the upgrade.
Audit for signs of compromise before patching
Before upgrading, examine web server access logs for unexpected POST requests to vulnerable WebWork action endpoints. Look for outbound connections from the Confluence process to external IPs. Assume compromise if anomalies exist.
Rotate credentials stored in Confluence
After patching, rotate all credentials documented in Confluence wiki pages, including database passwords, API keys, service account credentials, and infrastructure secrets. Treat all Confluence-documented credentials as potentially compromised.
Segment Confluence from critical internal systems
Confluence should not have direct network access to production databases, domain controllers, or security infrastructure. Apply network segmentation to limit lateral movement from a compromised Confluence server.
The bottom line
CVE-2021-26084 followed the now-familiar pattern of critical enterprise software vulnerabilities: public disclosure, immediate weaponization, mass exploitation, emergency CISA advisory — all within a week. The window between patch availability and active exploitation is not measured in weeks anymore. It is measured in hours.
Confluence is a high-value target precisely because of what it contains: architecture diagrams, runbooks, credential documentation, and internal network maps. An attacker who establishes a foothold on Confluence gains intelligence that accelerates every subsequent phase of an intrusion.
Patch immediately. Treat any delayed patching window as an assumed breach scenario. And audit what credentials and sensitive information live in your Confluence instance — because if an attacker gets in, they will read it before you change it.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.