CVE-2026-21569

This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.3 See the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive). This vulnerability was reported via our Atlassian (Internal) program.

CVSS v3 7.9 HIGH

7.9^/10

CVSS v3 : HIGH

Vector : AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:H

Exploitability : 1.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://confluence.atlassian.com/pages/viewpage.action?pageId=1712324819	Vendor Advisory
https://jira.atlassian.com/browse/CWD-6453	Vendor Advisory Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-28 01:16

Updated : 2026-02-02 13:22

NVD link : CVE-2026-21569

Mitre link : CVE-2026-21569

CVE.ORG link : CVE-2026-21569

JSON object : View

Products Affected

atlassian

crowd

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2026-21569", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@atlassian.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 7.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.3}]}, "published": "2026-01-28T01:16:14.187", "references": [{"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1712324819", "tags": ["Vendor Advisory"], "source": "security@atlassian.com"}, {"url": "https://jira.atlassian.com/browse/CWD-6453", "tags": ["Vendor Advisory", "Issue Tracking"], "source": "security@atlassian.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. \n\t\n\tThis XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction. \n\t\n\tAtlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\n\t\t\n\t\t* Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.3\n\t\t\n\t\t\n\t\n\tSee the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive). \n\t\n\tThis vulnerability was reported via our Atlassian (Internal) program."}], "lastModified": "2026-02-02T13:22:24.383", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D58C58C-051C-4A3E-BEC8-296F8086DDF5", "versionEndExcluding": "7.1.3", "versionStartIncluding": "7.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@atlassian.com"}