XML External Entity Injection Vulnerability in Atlassian Crowd Data Center and Server
CVE-2026-21569

7.9HIGH

Key Information:

Vendor: Atlassian
Status: Crowd Data Center
Vendor: CVE Published:; 28 January 2026

What is CVE-2026-21569?

A vulnerability in Atlassian Crowd Data Center and Server allows authenticated attackers to exploit XML External Entity Injection (XXE), exposing local and remote data. This can lead to significant breaches of confidentiality and availability without requiring user interaction. Users of versions prior to 7.1.3 should promptly upgrade to mitigate risks and protect sensitive information. Refer to the release notes on Atlassian's website for more details and ensure your systems are up-to-date.

Affected Version(s)

Crowd Data Center 7.1.0 to 7.1.2

Crowd Data Center 7.1.3

References

https://confluence.atlassian.com/pages/viewpage.action?pa...

https://jira.atlassian.com/browse/CWD-6453

CVSS V3.0

Score:

7.9

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 28, 2026
Vulnerability Reserved
Jan 1, 2026

CVE-2026-21569 Data

JSON