CVE-2021-21266

Name: CVE-2021-21266
Creator: NVD / NIST
Published: 2021-02-01T15:15:13.057+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5/10EPSS 1.10%

Last modified Jun 17, 2026

CVE-2021-21266 is a medium-severity vulnerability rated 5/10 on the CVSS scale. openHAB is a vendor and technology agnostic open source automation software for your home. In openHAB before versions 2.5.12 and 3.0.1 the XML external entity (XXE) attack allows attackers in the same network as the openHAB instance to retrieve internal information like the content of files from the file system. EPSS estimates a 1.10% chance of exploitation in the next 30 days.

Description

openHAB is a vendor and technology agnostic open source automation software for your home. In openHAB before versions 2.5.12 and 3.0.1 the XML external entity (XXE) attack allows attackers in the same network as the openHAB instance to retrieve internal information like the content of files from the file system. Responses to SSDP requests can be especially malicious. All add-ons that use SAX or JAXB parsing of externally received XML are potentially subject to this kind of attack. In openHAB, the following add-ons are potentially impacted: AvmFritz, BoseSoundtouch, DenonMarantz, DLinkSmarthome, Enigma2, FmiWeather, FSInternetRadio, Gce, Homematic, HPPrinter, IHC, Insteon, Onkyo, Roku, SamsungTV, Sonos, Roku, Tellstick, TR064, UPnPControl, Vitotronic, Wemo, YamahaReceiver and XPath Tranformation. The vulnerabilities have been fixed in versions 2.5.12 and 3.0.1 by a more strict configuration of the used XML parser.

Metrics

CVSS 3.1

5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

EPSS Probability

1.10%

61.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-611

Affected Software

Vendor	Product	Versions
Openhab	Openhab	< 2.5.12
Openhab	Openhab	3.0.0

References

https://dev.to/brianverm/configure-your-java-xml-parsers-to-prevent-xxe-213cThird Party Advisory
https://github.com/openhab/openhab-addons/commit/81935b0ab126e6d9aebd2f6c3fc67d82bb7e8b86Patch, Third Party Advisory
https://github.com/openhab/openhab-addons/security/advisories/GHSA-r2hc-pmr7-4c9rPatch, Third Party Advisory
https://www.contrastsecurity.com/security-influencers/xml-xxe-pitfalls-with-jaxbTechnical Description, Third Party Advisory
https://dev.to/brianverm/configure-your-java-xml-parsers-to-prevent-xxe-213cThird Party Advisory
https://github.com/openhab/openhab-addons/commit/81935b0ab126e6d9aebd2f6c3fc67d82bb7e8b86Patch, Third Party Advisory
https://github.com/openhab/openhab-addons/security/advisories/GHSA-r2hc-pmr7-4c9rPatch, Third Party Advisory
https://www.contrastsecurity.com/security-influencers/xml-xxe-pitfalls-with-jaxbTechnical Description, Third Party Advisory

Timeline

Published: Feb 1, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-21266?

How severe is CVE-2021-21266?

CVE-2021-21266 has a CVSS score of 5/10 (MEDIUM severity). The EPSS model estimates a 1.10% probability of exploitation in the next 30 days.

How do I fix CVE-2021-21266?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-21266?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST