CVE-2021-26073 - Broken authentication in Atlassian Connect Express (ACE)


Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions between 3.0.2 - 6.5.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app. This is fixed in version 6.6.0.

Affected versions

  • 3.0.2 - 6.5.0

Fixed versions

  • 6.6.0 and later


This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 9.1 => Critical severity

Exploitability Metrics

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone

Scope Metric


Impact Metrics


What you need to do

Atlassian recommends that you upgrade to the latest version. Upgrade to atlassian-connect-express to 6.6.0 or higher.

Last modified on May 6, 2021

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.