Child pages
  • CVE-2021-26073 - Broken authentication in Atlassian Connect Express (ACE)
Skip to end of metadata
Go to start of metadata


Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions between 3.0.2 - 6.5.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app. This is fixed in version 6.6.0.

Affected versions

  • 3.0.2 - 6.5.0

Fixed versions

  • 6.6.0 and later


This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 9.1 => Critical severity

Exploitability Metrics

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone

Scope Metric


Impact Metrics


What you need to do

Atlassian recommends that you upgrade to the latest version. Upgrade to atlassian-connect-express to 6.6.0 or higher.

  • No labels