Cyber Resilience

CVE-2021-26086

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 16 August 2021

Published
16 August 2021
Modified
24 October 2025
KEV Added
12 November 2024
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.9419 99.9th percentile
Risk Priority 87 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-26086 is a medium-severity Path Traversal (CWE-22) vulnerability in Atlassian Jira Data Center. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2021-26086 is a path traversal vulnerability in the /WEB-INF/web.xml endpoint of Atlassian Jira Server and Data Center. The flaw affects all versions before 8.5.14, versions 8.6.0 through 8.13.6, and versions 8.14.0 through 8.16.1, and is tracked under CWE-22 with a CVSS 3.1 score of 5.3.

Unauthenticated remote attackers can send crafted requests to read arbitrary files accessible to the application, achieving limited disclosure of sensitive information without any user interaction or privileges.

Atlassian has published details and fixes via JRASERVER-72695, while public exploit code is available and the issue appears in CISA's catalog of known exploited vulnerabilities.

EU & UK References

Vulnerability details

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version…

more

8.14.0 before 8.16.1.

CWE(s)
KEV Date Added
12 November 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

atlassian
jira data center
≤ 8.5.14 · 8.6.0 — 8.13.6 · 8.14.0 — 8.16.1
atlassian
jira server
≤ 8.5.14 · 8.6.0 — 8.13.6 · 8.14.0 — 8.16.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Rejects crafted path traversal sequences in requests to the /WEB-INF/web.xml endpoint before file disclosure occurs.

prevent

Enforces access restrictions so unauthenticated remote users cannot read arbitrary WEB-INF files via traversal.

prevent

Requires prompt application of vendor patches (e.g., 8.5.14/8.13.6/8.16.1) that close the path traversal flaw.

References