Confluence Server - SSRF (CVE-2021-26072)

CVE-2021-26072 is a vulnerability in the WidgetConnector plugin for Atlassian Confluence Server and Data Center prior to version 5.8.6, which allows remote attackers to exploit a blind Server-Side Request Forgery (SSRF) flaw. This vulnerability could enable attackers to manipulate or access internal network resources, potentially leading to unauthorized information disclosure or further attacks within the internal network.

CrowdSec has been tracking this vulnerability and its exploits since 29th of October 2025.

Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2021-26072 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2021-26072 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2021-26072 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit this vulnerability by sending requests to the /rest/sharelinks/1.0/link endpoint with a crafted url parameter, enabling server-side request forgery to arbitrary external or internal resources.