CVE-2021-26084 Explained: Confluence Server OGNL Injection and Mass Exploitation
A CVSS 9.8 pre-authentication OGNL injection vulnerability in Atlassian Confluence Server and Data Center. Weaponized within hours of disclosure. Used by ransomware groups and nation-state actors within days.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2021-26084 is an OGNL (Object-Graph Navigation Language) server-side injection vulnerability in Atlassian Confluence Server and Data Center. Disclosed August 25, 2021, with a CVSS score of 9.8, it allows an unauthenticated attacker to inject and execute arbitrary OGNL expressions through HTTP query parameters, achieving remote code execution on the Confluence server.
The vulnerability attracted immediate, broad exploitation activity. CISA issued an emergency advisory within days. Mass scanning and exploitation were observed within hours of public proof-of-concept release. Ransomware operators, cryptomining groups, and nation-state actors all adopted the exploit within the first week.
The OGNL Injection: How CVE-2021-26084 Works
Atlassian Confluence uses OGNL as its expression language for rendering dynamic web content. The vulnerability exists in certain Confluence endpoints that process user-supplied query parameters without sufficient sanitization before passing them through the OGNL evaluation engine.
In affected versions, specific WebWork actions in Confluence allow unauthenticated HTTP requests to supply OGNL expressions directly in query parameters. Because the expressions are evaluated server-side in the context of the Confluence application, an attacker can break out of the template context and execute arbitrary Java code, including spawning OS processes.
On some configurations, exploitation requires no authentication whatsoever. On others, a valid Confluence account with no special permissions is sufficient. Atlassian's advisory initially framed authentication as required, then clarified that unauthenticated exploitation was possible on default-configured instances, significantly expanding the risk surface.
Affected versions include Confluence Server and Data Center before 6.13.23, before 7.4.11 (LTS), before 7.11.6, before 7.12.5, and before 7.13.0. Confluence Cloud instances were not affected.
Identify Confluence instances
Scan for Confluence Server/Data Center deployments. The Confluence login page exposes version information in HTML comments and JavaScript. Shodan and Censys indexes track exposed instances globally.
Probe for unauthenticated access
Send requests to vulnerable WebWork action endpoints without credentials. Unauthenticated exploitation is possible on default installations where the affected endpoint does not require login.
Inject OGNL expression
Supply a crafted OGNL expression as a query parameter value. The expression executes within the Confluence application context, with access to the Java runtime and system properties.
Execute OS command
Call Java's Runtime.exec() or ProcessBuilder from within the OGNL expression to execute arbitrary commands as the operating system user running the Confluence process.
Deploy implant or miner
First-wave exploitation commonly deployed cryptocurrency miners (XMRig variants) or web shells. Ransomware groups used the foothold for domain reconnaissance and network-wide encryption preparation.
Mass Exploitation: CVE-2021-26084 in the Wild
The exploitation timeline for CVE-2021-26084 was among the fastest observed for any enterprise vulnerability in 2021. Atlassian published the advisory on August 25. A proof-of-concept exploit appeared publicly on September 1. By September 2, CISA issued Advisory AA21-259A citing active exploitation at mass scale.
Threat actors who rapidly adopted CVE-2021-26084 included cryptocurrency mining groups deploying XMRig, multiple ransomware affiliates using the access for initial foothold and lateral movement, and nation-state groups, including actors attributed to Chinese cyber operations, conducting espionage-focused intrusions.
The rapid weaponization highlighted a persistent gap: organizations often treat collaboration tools like Confluence as lower-risk than perimeter infrastructure, resulting in delayed patching and less rigorous network segmentation around these systems. Confluence, however, frequently has privileged access to internal wikis, credentials, and network documentation that makes it a high-value target for both financially motivated and nation-state actors.
“CISA is aware of active exploitation of CVE-2021-26084 and strongly urges all organizations to apply Atlassian's patches immediately.”
CISA Advisory AA21-259A, September 2021
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Patching and Remediating CVE-2021-26084
Atlassian released fixed versions on August 25, 2021. All Confluence Server and Data Center deployments must be updated to a patched version. There is no workaround that fully mitigates the vulnerability short of upgrading.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CVE-2021-26084 followed the now-familiar pattern of critical enterprise software vulnerabilities: public disclosure, immediate weaponization, mass exploitation, emergency CISA advisory, all within a week. The window between patch availability and active exploitation is not measured in weeks anymore. It is measured in hours.
Confluence is a high-value target precisely because of what it contains: architecture diagrams, runbooks, credential documentation, and internal network maps. An attacker who establishes a foothold on Confluence gains intelligence that accelerates every subsequent phase of an intrusion.
Patch immediately. Treat any delayed patching window as an assumed breach scenario. And audit what credentials and sensitive information live in your Confluence instance, because if an attacker gets in, they will read it before you change it.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2021-26084?
CVE-2021-26084 is a CVSS 9.8 OGNL injection vulnerability in Atlassian Confluence Server and Data Center. An unauthenticated attacker can inject OGNL expressions via HTTP query parameters to achieve remote code execution. On default configurations, no authentication is required. It was exploited in mass scanning campaigns within hours of public PoC release in September 2021.
Is Confluence Cloud affected by CVE-2021-26084?
No. Only Confluence Server and Confluence Data Center are affected. Atlassian's cloud-hosted Confluence instances are not vulnerable.
How do I fix CVE-2021-26084?
Upgrade to Confluence 6.13.23, 7.4.11, 7.11.6, 7.12.5, or 7.13.0 (or later). If immediate patching is impossible, restrict internet access to your Confluence instance via network ACLs and require VPN access. Rotate all credentials documented in Confluence after patching.
Is Confluence Cloud affected by CVE-2021-26084?
No. Only Confluence Server and Confluence Data Center are affected. Atlassian-hosted Confluence Cloud instances were not vulnerable because the underlying platform was managed and patched by Atlassian before external exploitation was possible. Organizations running Confluence Server or Data Center on their own infrastructure needed to apply the patch themselves.
How quickly was CVE-2021-26084 weaponized after public disclosure?
CISA reported that CVE-2021-26084 was weaponized within less than one hour of public proof-of-concept release on September 1, 2021. Atlassian published the advisory August 25 without a public PoC. When a researcher published exploit code September 1, mass scanning and exploitation began almost immediately. By September 2, CISA issued Advisory AA21-259A reporting active mass exploitation. The speed of weaponization reflected that the vulnerability was trivially exploitable via a single HTTP request and required no authentication.
What did attackers do after exploiting CVE-2021-26084?
First-wave exploitation deployed cryptocurrency miners (primarily XMRig variants), which were the most common payload given the automated nature of mass exploitation. Ransomware affiliates used CVE-2021-26084 as an initial access vector for building target lists and deploying ransomware in follow-on campaigns. Nation-state actors attributed to Chinese cyber operations conducted targeted espionage intrusions, collecting Confluence wiki content, credentials, and architecture documentation. All categories of threat actor were observed within the first week of exploitation.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
