CVE-2021-26086

MEDIUM KEV NUCLEI

Atlassian Jira Server/Data Center Path Traversal via /WEB-INF/web.xml

Title source: llm

Exploitation Summary

CVE-2021-26086 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 12, 2024. EIP tracks 4 public exploits from researchers including Mayank Deshmukh, ColdFusionX, Official-BlackHat13. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file read vulnerability in Atlassian Jira Server Data Center via path traversal. The PoC includes multiple HTTP GET requests targeting sensitive files like web.xml and seraph-config.xml.

Description

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.

Exploits (4)

exploitdb WORKING POC

by Mayank Deshmukh · textwebappsmultiple

https://www.exploit-db.com/exploits/50380

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file read vulnerability in Atlassian Jira Server Data Center via path traversal. The PoC includes multiple HTTP GET requests targeting sensitive files like web.xml and seraph-config.xml.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Atlassian Jira Server Data Center < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1

No auth needed

Prerequisites: Network access to the Jira Server Data Center instance

MITRE ATT&CK

T1005 - Data from Local System T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 25 stars

by ColdFusionX · poc

https://github.com/ColdFusionX/CVE-2021-26086

View Code ZIP pw:eip

The repository provides functional HTTP request examples demonstrating CVE-2021-26086, a path traversal vulnerability in Atlassian Jira Server/Data Center 8.4.0. The PoC includes crafted GET requests to read sensitive files (e.g., web.xml, seraph-config.xml) via a directory traversal payload.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Atlassian Jira Server/Data Center 8.4.0

No auth needed

Prerequisites: Network access to the target Jira instance

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by Official-BlackHat13 · poc

https://github.com/Official-BlackHat13/CVE-2021-26086

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-26084, an OGNL injection vulnerability in Confluence Server. The exploit allows unauthenticated remote code execution by injecting malicious OGNL expressions via the queryString parameter.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Atlassian Confluence Server < 7.12.5

No auth needed

Prerequisites: Network access to the target Confluence Server · Vulnerable version of Confluence Server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by Jeromeyoung · poc

https://github.com/Jeromeyoung/CVE-2021-26086

View Code ZIP pw:eip

This repository contains a functional Go-based exploit for CVE-2021-26084 (mislabeled as CVE-2021-26086 in the repo name), targeting Confluence OGNL injection for remote code execution. The exploit sends a crafted payload to execute arbitrary commands via JavaScript evaluation in the ScriptEngineManager.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Atlassian Confluence (versions affected by CVE-2021-26084)

No auth needed

Prerequisites: Network access to vulnerable Confluence instance · Target endpoint path (e.g., /pages/createpage-entervariables.action)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Atlassian Jira Limited - Local File Inclusion

MEDIUMby cocxanh

Shodan: http.component:"Atlassian Jira" || http.component:"atlassian jira"

References (3)

Core 3

Core References

Issue Tracking, Vendor Advisory x_refsource_misc

https://jira.atlassian.com/browse/JRASERVER-72695

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/164405/Atlassian-Jira-Server-Data-Center-8.4.0-File-Read.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26086

Scores

CVSS v3 5.3

EPSS 0.9419

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact partial

Details

CISA KEV 2024-11-12

VulnCheck KEV 2023-11-18

InTheWild.io 2024-11-12

ENISA EUVD EUVD-2021-12907

CWE

CWE-22

Status published

Products (2)

atlassian/jira_data_center < 8.5.14

atlassian/jira_server < 8.5.14

Published Aug 16, 2021

KEV Added Nov 12, 2024

Tracked Since Feb 18, 2026