CVE-2021-26291
CRITICALApache Maven < 3.8.1 - Repository Origin Validation Error via POM Dependency References
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2021-26291. PoCs published by jpmartins.
AI-analyzed exploit summary This repository provides a technical analysis of CVE-2021-26291, demonstrating how dependency-check-maven flags maven-core-3.6.3.jar with a false positive due to plugin scanning. It includes steps to reproduce the issue and highlights the root cause in the company's parent POM configuration.
Description
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html
Exploits (1)
nomisec
WRITEUP
by jpmartins · poc
https://github.com/jpmartins/MinimalReproducer
This repository provides a technical analysis of CVE-2021-26291, demonstrating how dependency-check-maven flags maven-core-3.6.3.jar with a false positive due to plugin scanning. It includes steps to reproduce the issue and highlights the root cause in the company's parent POM configuration.
Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target:
Apache Maven (dependency-check-maven plugin)
No auth needed
Prerequisites:
Maven project with dependency-check-maven plugin configured · Parent POM with scanPlugins=true and failBuildOnCVSS=7
devstral-2 · analyzed Feb 18, 2026
Full analysis →
References (43)
Core 43
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread.html/r9a027668558264c4897633e66bcb7784099fdec9f9b22c38c2442f00%40%3Cusers.maven.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r06db4057b74e0598a412734f693a34a8836ac6f06d16d139e5e1027c%40%3Cdev.maven.apache.org%3E
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/04/23/5
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r0556ce5db7231025785477739ee416b169d8aff5ee9bac7854d64736%40%3Cannounce.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/ra88a0eba7f84658cefcecc0143fd8bbad52c229ee5dfcbfdde7b6457%40%3Cdev.jena.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r3f0450dcab7e63b5f233ccfbc6fca5f1867a75c8aa2493ea82732381%40%3Cdev.jena.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r86e1c81e03f441855f127980e9b3d41939d04a7caea2b7ab718e2288%40%3Cjira.kafka.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/red3bf6cbfd99e36b0c0a4fa1cea1eef1eb300c6bd8f372f497341265%40%3Cdev.kafka.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r340e75c9bb6e8661b89e1cf2c52f4638a18312e57bd884722bc28f52%40%3Cjira.kafka.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r78fb6d2cf0ca332cfa43abd4471e75fa6c517ed9cdfcb950bff48d40%40%3Cjira.kafka.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r39fa6ec4b7e912d3e04ea68efd23e554ec9c8efa2c96f5b45104fc61%40%3Cjira.kafka.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r30e9fcba679d164158cc26236704c351954909c18cb2485d11038aa6%40%3Cdev.kafka.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rc7ae2530063d1cd1cf8e9fa130d10940760f927168d4063d23b8cd0a%40%3Ccommits.kafka.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r5ae6aaa8a2ce86145225c3516bb45d315c0454e3765d651527e5df8a%40%3Ccommits.kafka.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r0a5e4ff2a7ca7ad8595d7683afbaeb3b8788ba974681907f97e7dc8e%40%3Cjira.kafka.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r86aebd0387ae19b740b3eb28bad83fe6aceca0d6257eaa810a6e0002%40%3Ccommits.kafka.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r71bc13669be84c2ff45b74a67929bc2da905c152e12a39b406e3c2a0%40%3Cissues.karaf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r53cd5de57aaa126038c5301d8f518f3defab3c5b1c7e17c97bad08d8%40%3Cissues.karaf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r52c6cda14dc6315dc79e72d30109f4589e9c6300ef6dc1a019da32d4%40%3Cissues.karaf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r74329c671df713f61ae4620ee2452a0443ccad7f33c60e8ed7d21ff9%40%3Cissues.karaf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r07a89b32783f73bda6903c1f9aadeb859e5bef0a4daed6d87db8e4a9%40%3Cissues.karaf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r96cc126d3ee9aa42af9d3bb4baa94828b0a5f656584a50dcc594125f%40%3Cissues.karaf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/ra9d984eccfd2ae7726671e025f0296bf03786e5cdf872138110ac29b%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r0d083314aa3934dd4b6e6970d1f6ee50f6eaa9d867deb2cd96788478%40%3Cjira.kafka.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/re75f8b3dbc5faa1640908f87e644d373e00f8b4e6ba3e2ba4bd2c80b%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r08a401f8c98a99f68d061fde6e6659d695f28d60fe4f0413bcb355b0%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31%40%3Cissues.karaf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2%40%3Cissues.karaf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94%40%3Cissues.karaf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21%40%3Cissues.karaf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe%40%3Cissues.karaf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc%40%3Cissues.karaf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013%40%3Cissues.karaf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b%40%3Cissues.karaf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402%40%3Cissues.karaf.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c%40%3Cissues.karaf.apache.org%3E
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Mailing List x_refsource_misc
https://lists.apache.org/thread.html/r7212b874e575e59d648980d91bc22e684906aee9b211ab92da9591f5%40%3Cdev.kafka.apache.org%3E
Mailing List x_refsource_misc
https://lists.apache.org/thread.html/rcd6c3a36f1dbc130da1b89d0f320db7040de71661a512695a8d513ac%40%3Cdev.kafka.apache.org%3E
Exploit, Third Party Advisory x_refsource_misc
https://www.whitesourcesoftware.com/resources/blog/maven-security-vulnerability-cve-2021-26291/
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html
Scores
CVSS v3
9.1
EPSS
0.4610
EPSS Percentile
97.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-346
Status
published
Products (6)
apache/maven
< 3.8.1
oracle/financial_services_analytical_applications_infrastructure
8.0.6.0.0 - 8.0.9.0.0
oracle/goldengate_big_data_and_application_adapters
23.1
org.apache.maven/maven-compat
0 - 3.8.1Maven
org.apache.maven/maven-core
0 - 3.8.1Maven
quarkus/quarkus
< 1.13.5
Published
Apr 23, 2021
Tracked Since
Feb 18, 2026