Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Security Advisory for Confluence Server and Data Center, August 2021

Last updated: August 26, 2021

This article is for a critical security vulnerability that exists in Confluence Server and Confluence Data Center.

We recommend that you upgrade to a fixed version as soon as possible to ensure that you are not affected. If you are unable to upgrade Confluence immediately, then apply the temporary workaround as mentioned in the advisory. Please see the full advisory to learn more and access the fixed versions:

If you have questions related to the advisory, upgrades, or migrations, please ask a new question here on Community. Please mention your question relates to CVE-2021-26084. Alternatively, you may comment on this article and we will convert your post to a question in order to best help you get an answer.

Comment
Watch
Like # people like this
2713 views

2 comments

Colin Murtaugh
Colin Murtaugh
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 25, 2021

We're running Confluence Server 7.4.9 and our [gear] -> User management page doesn't have anything about user signup options. There is no 'Allow people to sign up to create their account' setting on that page. 

Is there somewhere else we should be looking for this setting?

Like
Malcolm Ninnes
Malcolm Ninnes
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 25, 2021

Hi @Colin Murtaugh

If you're running Confluence Server 7.4.9 then you're vulnerable to the issue outlined in the advisory, regardless of whether you allow people to signup to create their own account or not.

We've reworded the advisory (Confluence Security Advisory CVE-2021-26084 - OGNL injection - 2021-08-25) in the last few hours to remove any ambiguity regarding the user signup settings.  Regardless of that setting, Confluence 7.4.9 is still vulnerable via other endpoints.

As such, Atlassian recommends running the workaround/mitigation script even if 'Allow people to sign up to create their own account' is disabled.  There are several endpoints identified that expose Confluence to CVE-2021-26084, so applying the workaround script will temporarily mitigate against the known vulnerable end points until you can upgrade to a version that fixes this permanently.  In your case, upgrading to 7.4.11 is probably the easiest.  The issue is fixed in 7.4.11.

Hope this helps!

Like

Comment

Log in or Sign up to comment
Daniel Eads

Daniel Eads

Atlassian Team
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.

About this author

Systems Engineer

Atlassian

Austin

623 accepted answers

2,690 total posts

View profile
Confluence
Confluence
TAGS
atlassian, confluence, loom, atlassian intelligence, ai notes, ai-powered meeting notes, atlassian community events, ace, confluence ai, loom ai integration, ai note-taking, atlassian ai features, team '25, atlassian live learning, confluence automation

Unlock AI-powered meeting notes: Join our live learning session! 📹

Did you catch the news at Team ‘25? With Loom, Confluence, Atlassian Intelligence, & even Jira 👀, you won’t have to worry about taking meeting notes again… unless you want to. Join us to explore the beta & discover a new way to boost meeting productivity.

Register today!
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Champions
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.