Description
This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server.

This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction.

Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

* Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.3



See the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive).

This vulnerability was reported via our Atlassian (Internal) program.
Published: 2026-01-28
Score: 7.9 High
EPSS: < 1% Very Low
KEV: No
Impact: High confidentiality and availability impact through authenticated XXE
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an XML External Entity Injection flaw that allows an attacker with valid credentials in Atlassian Crowd Data Center and Server to read local or remote files and resources, potentially exposing sensitive data. The attack does not require any user interaction, yet it can compromise confidentiality severely and disturb availability, while causing minimal integrity damage. This unchecked external entity resolution is a classic CWE‑611 weakness.

Affected Systems

The flaw appears in Crowd Data Center and Server starting with version 7.1.0 and persists through the 7.1.2 series. Upgrading to any release 7.1.3 or later removes the vulnerability. The affected product is Atlassian Crowd Data Center and Server; no other vendors or products are mentioned.

Risk and Exploitability

The CVSS base score is 7.9, indicating a high severity. The EPSS score is below 1 %, suggesting that widespread exploitation is currently unlikely, and the vulnerability is not yet catalogued as a known exploited vulnerability by CISA. An attacker must possess authenticated access; once authenticated, the path to the vulnerable XML parsing code is straightforward, making exploitation simple for insiders or compromised accounts. The lack of a user‑interaction requirement and the high impact on confidentiality and availability suggest that enterprises should treat this as a priority flaw.

Generated by OpenCVE AI on April 18, 2026 at 01:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Crowd Data Center and Server instance to version 7.1.3 or later, which contains the patch for the XXE flaw.
  • Configure the XML parser to disallow any external entity declarations (for example, set the 'http://apache.org/xml/features/disallow-doctype-decl' feature to true) to mitigate similar vulnerabilities if a delay in upgrading occurs.
  • Continuously monitor Atlassian’s security advisories and release notes to ensure the system remains patched.

Generated by OpenCVE AI on April 18, 2026 at 01:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Authenticated XXE in Atlassian Crowd allowing external entity access

Mon, 02 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Atlassian crowd
CPEs cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*
Vendors & Products Atlassian crowd

Wed, 28 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-611
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Atlassian
Atlassian crowd Data Center
Vendors & Products Atlassian
Atlassian crowd Data Center

Wed, 28 Jan 2026 01:00:00 +0000

Type Values Removed Values Added
Description This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.3 See the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive). This vulnerability was reported via our Atlassian (Internal) program.
References
Metrics cvssV3_0

{'score': 7.9, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:H'}

Subscriptions

Atlassian Crowd Crowd Data Center
cve-icon MITRE

Status: PUBLISHED

Assigner: atlassian

Published:

Updated: 2026-01-28T14:49:56.282Z

Reserved: 2026-01-01T00:00:40.720Z

Link: CVE-2026-21569

cve-icon Vulnrichment

Updated: 2026-01-28T14:49:49.903Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T01:16:14.187

Modified: 2026-02-02T13:22:24.383

Link: CVE-2026-21569

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses