This Crowd release includes updates to our Apache Tika dependency in response to CVE-2025-66516.
Our security team has assessed that the current scope of this CVE does not present the same critical risk in our products, as our use of the dependency doesn’t support the known path for exploitation.
The patch for CVE-2025-66516 is being released out of an abundance of caution.

This Critical severity XXE (XML External Entity Injection) vulnerability was introduced in versions 7.1.0 and 7.1.1 of Crowd Data Center and Server.

This Improper Authorization vulnerability, with a CVSS Score of 10 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.

Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

• Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.2

See the release notes (https://www.atlassian.com/software/crowd/download-archive). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive).