Atlassian Crowd critical vulnerability: how do you fix it?


We have learnt that an important security vulnerability has been discovered on Atlassian Crowd.

This vulnerability affects all Standalone versions prior to 2.6.3 (released on June 24th 2013 and fixing this issue) – 2.5.4 excluded.

You will find all technical details in this report from CommandFive. This vulnerability can be exploited by anyone accessing your Crowd REST API, you are particularly impacted if your Crowd server is available on internet.

Ths JIRA issue referring to this problem is here:

To fix this issue, you can:

  • Apply a patch available on Crowd 2.1.2 and upwards (patch instructions detailed on Atlassian ticket)
  • Do a Crowd upgrade to 2.5.4 or 2.6.3 (mandatory if you use a Crowd version older than 2.1.2)

For all information related to patch instructions you can reach Atlassian via

Cutted Triangle

Subscribe to Valiantys Newsletter

Registered request ! Subscribing... This is not an email An error occured

In accordance with our privacy policy, we are committed to respecting your personal data.

Contact us

Our Atlassian certified consultants will be happy to answer you.

Join us

We're building the next dream team - Are you in?

Follow us

We use cookies for the operation of our website. This is to improve its use, to personalize your experience, and to compile visitor statistics. By continuing to use this site, you consent to this policy. You can manage the settings and choose whether or not to accept certain cookies whilst browsing. For more information, see our privacy policy. Our privacy policy

Privacy settings

In order to facilitate your navigation and to provide you with the best possible service, we use cookies to improve the site to the needs of our visitors, particularly according to the number of visitors. For more information, please read our privacy policy. Our privacy policy


Google reCAPTCHA is a system designed to distinguish humans from computers, so that bots are unable to maliciously fill out forms on behalf of a human being.


Used to send data to Google Analytics about the visitor's device and behavior. Tracks the visitor across devices and marketing channels. Used by the social sharing platform AddThis to store the user's usage history of the AddThis sharing widget. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.