7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-26073

GHSA ID

GHSA-4v96-m8xv-x83v

EPSS Score

0.56323%

CWE

CWE-287

Published

5/24/2022

Updated

2/12/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-26073

CVE-2021-26073:
Broken Authentication in Atlassian Connect Express

Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or a context JWT. Atlassian Connect Express versions between 3.0.2 - 6.5.0 erroneously accept context JWTs in lifecycle endpoints (such as installation) where only server-to-server JWTs should be accepted, permitting an attacker to send authenticated re-installation events to an app.

(GitHub Advisory)

7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-26073

GHSA ID

GHSA-4v96-m8xv-x83v

EPSS Score

0.56323%

CWE

CWE-287

Published

5/24/2022

Updated

2/12/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
atlassian-connect-express	npm	>= 3.0.2, < 6.6.0	6.6.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper JWT type validation in authentication middleware. The critical function is addon.authenticate() which handles request authentication. In vulnerable versions (3.0.2-6.5.0), this middleware didn't properly restrict context JWTs in lifecycle endpoints. The patch requires explicit skipQshVerification=true parameter for context JWT endpoints, indicating the base authenticate() function was missing server-to-server JWT enforcement. This matches community guidance showing vulnerable endpoints used standard authenticate() while fixed implementations require parameterization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*rok*n *ut**nti**tion in *tl*ssi*n *onn**t *xpr*ss (***) *rom v*rsion *.*.* ***or* v*rsion *.*.*: *tl*ssi*n *onn**t *xpr*ss is * No**.js p**k*** *or *uil*in* *tl*ssi*n *onn**t *pps. *ut**nti**tion **tw**n *tl*ssi*n pro*u*ts *n* t** *tl*ssi*n *onn**t

Reasoning

T** vuln*r**ility st*ms *rom improp*r JWT typ* v*li**tion in *ut**nti**tion mi**l*w*r*. T** *riti**l *un*tion is `***on.*ut**nti**t*()` w*i** **n*l*s r*qu*st *ut**nti**tion. In vuln*r**l* v*rsions (*.*.*-*.*.*), t*is mi**l*w*r* *i*n't prop*rly r*stri

7.7

Basic Information

Concerned about an active attack path?

CVE-2021-26073: Broken Authentication in Atlassian Connect Express

7.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-26073:
Broken Authentication in Atlassian Connect Express

Vulnerability Intelligence
Miggo AI