Back to blog
AtlassianConfluenceCVE-2022-26134RCEOGNLwiki

Atlassian Confluence: Critical CVEs and Securing Your Wiki

Confluence concentrates critical RCE vulnerabilities that are regularly exploited. Analysis of major Atlassian Confluence CVEs and protection measures for your instance.

April 23, 20263 min read

Atlassian Confluence is the world's most widely used enterprise collaboration and documentation tool. Its popularity makes it a prime target: critical vulnerabilities in Confluence regularly enable remote code execution, massively deployed by malicious actors.

CVE-2022-26134: OGNL Injection (CVSS 9.8)

The Most Exploited Vulnerability

In June 2022, Atlassian disclosed CVE-2022-26134 — an OGNL (Object-Graph Navigation Language) injection enabling unauthenticated remote code execution. It's one of the most exploited Confluence CVEs in history.

How it works:

OGNL is the expression language used by Confluence for templates. The vulnerability allows injecting OGNL expressions into HTTP URLs, which are evaluated by the server with application privileges.

GET /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22id%22%29%7D/ HTTP/1.1

Affected versions: Confluence Server and Data Center 1.3.0 through 7.18.0

Mass Zero-Day Exploitation

Atlassian received the vulnerability report on May 31, 2022 and published the patch on June 3, 2022. In between, the exploit was already active on the internet. Thousands of Confluence servers were compromised, primarily for:

  • Cryptocurrency miner deployment (XMRig)
  • Web shell installation for persistent access
  • Data exfiltration (Confluence pages often contain credentials, architecture diagrams, etc.)

CVE-2023-22515: Privilege Escalation (CVSS 10.0)

In October 2023, CVE-2023-22515 — an unauthenticated admin account creation flaw in Confluence Data Center and Server. An attacker could access the /setup/setupadministrator.action endpoint to create an admin account on any exposed instance.

Exploited as a zero-day by group Storm-0062 (attributed to China) before disclosure.

Affected versions: Confluence Data Center and Server 8.0.0 through 8.5.1

CVE-2023-22518: Data Destruction (CVSS 9.1)

An improper authorization flaw in Confluence Data Center allowing an unauthenticated attacker to reset Confluence's configuration and destroy all data. Exploited by ransomware gangs to wipe Confluence instances before demanding ransom.

CVE-2021-26084: OGNL Injection (CVSS 9.8)

A predecessor to CVE-2022-26134, another OGNL injection in Confluence's Velocity templates. Massively exploited in summer 2021 to deploy cryptocurrency miners.

Detecting a Compromise

Search for Web Shells

# Look for recently modified JSP/suspicious files
find /opt/atlassian/confluence/confluence -name "*.jsp" -newer /tmp/ref_date
find /var/atlassian/application-data/confluence -name "*.class" -newer /tmp/ref_date

# Check access logs for suspicious patterns
grep -E "\.jsp\?|OGNL|%24%7B|%7B@" /opt/atlassian/confluence/logs/access_log*

In Confluence Logs

Look for requests to /setup/setupadministrator.action, /${...}/, or URL patterns containing URL-encoded expressions.

Securing Confluence

1. Update Immediately

Confluence must be updated as soon as a critical patch is published. Atlassian offers LTS (Long Term Support) versions to simplify tracking.

2. Don't Expose Confluence to the Internet if Possible

If Confluence is only used internally, block internet access. Use a VPN for remote access.

3. If Internet Exposure is Necessary: WAF and Filtering

Deploy a WAF with rules blocking:

  • OGNL expressions in URLs (%24%7B, ${, @java)
  • Access to /setup/ from the internet
  • Common RCE-type payloads

4. Regular, Tested Backups

CVEs like CVE-2023-22518 can destroy your data. Daily out-of-band backups are essential.

5. Principle of Least Privilege

  • Create Confluence spaces with restrictive permissions
  • Avoid public spaces containing sensitive information
  • Use dedicated service accounts with minimal permissions

6. Subscribe to Atlassian Security Notifications

Sign up for Atlassian security alerts at: security.atlassian.com

Jira: The Same Risks

Confluence's counterpart, Jira, also has regular critical CVEs:

  • CVE-2022-0540 (CVSS 9.9): Auth bypass in Jira and Jira Service Management
  • CVE-2021-43947 (CVSS 9.9): RCE in Jira Data Center

If you use the Atlassian suite, apply the same rigor to Jira.

Monitor all Atlassian CVEs on cveo.tech — search for confluence or jira for a complete inventory.

Monitor CVEs with AI

AI-powered search, CVSS scoring, asset monitoring and automatic alerts.

Try AI search →Create free account

Related articles

Patch Management Guide: How to Handle CVEs Quickly and Effectively

Learn how to build a robust CVE patch management process: SLAs by severity, key steps, tools, and common mistakes to avoid to protect your infrastructure.

How to Monitor CVE Vulnerabilities Across Your IT Assets

A complete guide to tracking and managing CVEs affecting your IT infrastructure: methods, tools, and best practices for IT teams and security managers.

How to Conduct a CVE Security Audit of Your IT Infrastructure

Complete guide to conducting a CVE security audit: asset inventory, vulnerability scanning, CVSS scoring, remediation planning, and CISO best practices.