CVE-2022-26134

CVE-2022-26134 is a critical-severity vulnerability in Atlassian Confluence Data Center with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-06-02). The underlying weakness is classified as CWE-917.

Key facts

Description

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.

CVE-2022-26134: Atlassian Confluence OGNL Injection Remote Code Execution

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2022-26134
Vendor Atlassian
Product Confluence Server / Data Center
Severity Critical (CVSS 3.1: 9.8)
CWE CWE-917: Expression Language Injection
EPSS 0.99999 (99.994th percentile)
KEV Yes (added 2022-06-02)
CISA KEV https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26134

Summary

Atlassian Confluence Server and Data Center are affected by an unauthenticated OGNL injection vulnerability that allows remote attackers to execute arbitrary code on the target instance.

Background

Atlassian Confluence is a widely deployed web-based corporate wiki and collaboration platform. Confluence Server and Data Center are the self-hosted and clustered enterprise editions. The platform uses the Object-Graph Navigation Language (OGNL) expression language in several areas of its request handling and data-binding layers.

Root Cause

The vulnerability is classified as CWE-917: Expression Language Injection. The root cause lies in how Confluence evaluates user-supplied OGNL expressions in request paths or parameters without proper sanitization or sandboxing. An attacker can inject malicious OGNL syntax that the server subsequently parses and executes, leading to arbitrary code execution under the context of the application server process.

Impact

This vulnerability is rated Critical with a CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

  • Confidentiality: High — attacker can read arbitrary data from the host, including database connection strings and cached content.
  • Integrity: High — attacker can modify content, install plugins, or alter system configuration.
  • Availability: High — attacker can crash the application or pivot to the underlying host.
    Because the vulnerability is unauthenticated and exploitable over the network with low complexity, mass internet scanning and automated exploitation were observed immediately after disclosure.

Exploitation Walkthrough

Ethics caveat: This section describes the vulnerability mechanism for defensive and detection purposes only. Active exploitation against systems you do not own or have explicit permission to test is illegal and unethical.

The attack vector is a crafted HTTP request containing OGNL meta-characters and expressions in the URI path or query parameters. Confluence’s URL parser passes the raw string into an OGNL evaluation context. A typical malicious request includes namespace-traversal patterns and OGNL method calls that invoke Runtime.exec() or classloader manipulation. Because the exploit is unauthenticated, no valid session or credentials are required.

Defensive takeaways:

  • Any request containing OGNL-like syntax (${...}, %{...}, @..., class, Runtime, ProcessBuilder) in the URL path should be treated as suspicious.
  • The request method is typically GET or POST, but the payload is delivered in the URI.
  • Successful exploitation usually results in an outbound child process or a network callback from the Confluence server.

Affected and Patched Versions

The following versions are confirmed vulnerable:

  • 1.3.0 through 7.4.16
  • 7.13.0 through 7.13.6
  • 7.14.0 through 7.14.2
  • 7.15.0 through 7.15.1
  • 7.16.0 through 7.16.3
  • 7.17.0 through 7.17.3
  • 7.18.0

Patched versions:

  • 7.4.17
  • 7.13.7
  • 7.14.3
  • 7.15.2
  • 7.16.4
  • 7.17.4
  • 7.18.1

Remediation

  1. Upgrade immediately to the latest patched version listed above. Atlassian released an emergency fix and upgrading is the only reliable remediation.
  2. Workaround (if patching is delayed): Consider blocking all access to Confluence at the network edge (WAF/reverse proxy) until the patch can be applied. However, this is a temporary measure and should not replace patching.
  3. Compensating controls:
    • Restrict Confluence management interfaces to internal IP ranges via VPN or firewall rules.
    • Deploy a Web Application Firewall (WAF) rule to detect OGNL-like patterns in URI paths.
    • Monitor for anomalous outbound connections from the Confluence server.

Detection

  • Network: Look for OGNL meta-characters in HTTP URI paths (${, %{, @java.lang, Runtime, ProcessBuilder) targeting Confluence endpoints.
  • Host: Monitor process-spawning events from the Confluence Java process (e.g., unexpected bash, cmd.exe, powershell, or curl child processes).
  • Logs: Check Confluence access logs for long or unusual URI strings containing encoded special characters, especially /%24%7B or /%25%7B patterns.
  • EDR: Alert on Java processes establishing unexpected outbound network connections or loading unknown classes.

Assessment

This CVE carries an EPSS score of 0.99999 (99.994th percentile), meaning empirical data shows near-universal exploitation probability. It was added to the CISA Known Exploited Vulnerabilities Catalog on 2022-06-02, and active exploitation was observed in the wild within hours of disclosure.

Lessons learned:

  1. Expression-language injection is high-impact when it leads to code execution. Platforms that embed OGNL, SpEL, or similar engines must rigorously sanitize user input before evaluation.
  2. Unauthenticated RCE on public-facing collaboration tools is a catastrophic exposure. Organizations should ensure these systems are not directly internet-facing without strict filtering, even when fully patched.

References

Frequently asked questions

What is CVE-2022-26134?
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
How severe is CVE-2022-26134?
CVE-2022-26134 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2022-26134 being actively exploited?
Yes. CVE-2022-26134 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-06-02, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2022-26134?
CVE-2022-26134 primarily affects Atlassian Confluence Data Center. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2022-26134?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2022-26134 have an EU (EUVD) identifier?
Yes. CVE-2022-26134 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-30701. It is also flagged as exploited in the EUVD (since 2022-06-02).
When was CVE-2022-26134 published?
CVE-2022-26134 was published on 2022-06-03 and last updated on 2026-06-17.

References

Affected products (4)

More vulnerabilities in Atlassian Confluence Data Center

All CVEs affecting Atlassian Confluence Data Center →

Other CWE-917 vulnerabilities

Browse all CWE-917 vulnerabilities →