wire-server is an open-source back end for Wire, a secure collaboration platform. In wire-server from version 2021-02-16 and before version 2021-03-02, the client metadata of all users was exposed in the `GET /users/list-clients` endpoint. The endpoint could be used by any logged in user who could request client details of any other user (no connection required) as far as they can find their User ID. The exposed metadata included id, class, type, location, time, and cookie. A user on a Wire backend could use this endpoint to find registration time and location for each device for a given list of users. As a workaround, remove `/list-clients` from nginx config. This has been fixed in version 2021-03-02.
Conclusion & alert: CVE-2021-21396 is rated Moderate Risk (48.1/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.09%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.32% | 1.09% | +0.78% |
| 2 | 2025-11-21 | 0.35% | 0.32% | -0.04% |
| 3 | 2025-11-18 | — | 0.35% | — |
Full EPSS history (11 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.5 | 3.1 | MEDIUM |
|
2.8 | 3.6 | [email protected] |
| 6.5 | 3.1 | MEDIUM |
|
2.8 | 3.6 | [email protected] |
| 4.0 | 2.0 | MEDIUM |
|
8.0 | 2.9 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| wire | wire_server | >= 2021-02-16, < 2021-03-02 | cpe:2.3:a:wire:wire_server:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/wireapp/wire-server/commit/7ba2bf4140282557cf215e0b2c354d4d08cd3421 | Patch Third Party Advisory |
| https://github.com/wireapp/wire-server/releases/tag/v2021-03-02 | Third Party Advisory |
| https://github.com/wireapp/wire-server/security/advisories/GHSA-qx8q-rhq2-rg4j | Patch Third Party Advisory |