CVE-2022-26134
CVE-2022-26134 is a critical-severity vulnerability in Atlassian Confluence Data Center with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-06-02). The underlying weakness is classified as CWE-917.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-06-02)
- EU (EUVD) id: EUVD-2022-30701
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-06-02)
- Weakness: CWE-917
- Affected product: Atlassian Confluence Data Center
- Published:
- Last modified:
Description
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
CVE-2022-26134: Atlassian Confluence OGNL Injection Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2022-26134 |
| Vendor | Atlassian |
| Product | Confluence Server / Data Center |
| Severity | Critical (CVSS 3.1: 9.8) |
| CWE | CWE-917: Expression Language Injection |
| EPSS | 0.99999 (99.994th percentile) |
| KEV | Yes (added 2022-06-02) |
| CISA KEV | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26134 |
Summary
Atlassian Confluence Server and Data Center are affected by an unauthenticated OGNL injection vulnerability that allows remote attackers to execute arbitrary code on the target instance.
Background
Atlassian Confluence is a widely deployed web-based corporate wiki and collaboration platform. Confluence Server and Data Center are the self-hosted and clustered enterprise editions. The platform uses the Object-Graph Navigation Language (OGNL) expression language in several areas of its request handling and data-binding layers.
Root Cause
The vulnerability is classified as CWE-917: Expression Language Injection. The root cause lies in how Confluence evaluates user-supplied OGNL expressions in request paths or parameters without proper sanitization or sandboxing. An attacker can inject malicious OGNL syntax that the server subsequently parses and executes, leading to arbitrary code execution under the context of the application server process.
Impact
This vulnerability is rated Critical with a CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- Confidentiality: High — attacker can read arbitrary data from the host, including database connection strings and cached content.
- Integrity: High — attacker can modify content, install plugins, or alter system configuration.
- Availability: High — attacker can crash the application or pivot to the underlying host.
Because the vulnerability is unauthenticated and exploitable over the network with low complexity, mass internet scanning and automated exploitation were observed immediately after disclosure.
Exploitation Walkthrough
Ethics caveat: This section describes the vulnerability mechanism for defensive and detection purposes only. Active exploitation against systems you do not own or have explicit permission to test is illegal and unethical.
The attack vector is a crafted HTTP request containing OGNL meta-characters and expressions in the URI path or query parameters. Confluence’s URL parser passes the raw string into an OGNL evaluation context. A typical malicious request includes namespace-traversal patterns and OGNL method calls that invoke Runtime.exec() or classloader manipulation. Because the exploit is unauthenticated, no valid session or credentials are required.
Defensive takeaways:
- Any request containing OGNL-like syntax (
${...},%{...},@...,class,Runtime,ProcessBuilder) in the URL path should be treated as suspicious. - The request method is typically
GETorPOST, but the payload is delivered in the URI. - Successful exploitation usually results in an outbound child process or a network callback from the Confluence server.
Affected and Patched Versions
The following versions are confirmed vulnerable:
- 1.3.0 through 7.4.16
- 7.13.0 through 7.13.6
- 7.14.0 through 7.14.2
- 7.15.0 through 7.15.1
- 7.16.0 through 7.16.3
- 7.17.0 through 7.17.3
- 7.18.0
Patched versions:
- 7.4.17
- 7.13.7
- 7.14.3
- 7.15.2
- 7.16.4
- 7.17.4
- 7.18.1
Remediation
- Upgrade immediately to the latest patched version listed above. Atlassian released an emergency fix and upgrading is the only reliable remediation.
- Workaround (if patching is delayed): Consider blocking all access to Confluence at the network edge (WAF/reverse proxy) until the patch can be applied. However, this is a temporary measure and should not replace patching.
- Compensating controls:
- Restrict Confluence management interfaces to internal IP ranges via VPN or firewall rules.
- Deploy a Web Application Firewall (WAF) rule to detect OGNL-like patterns in URI paths.
- Monitor for anomalous outbound connections from the Confluence server.
Detection
- Network: Look for OGNL meta-characters in HTTP URI paths (
${,%{,@java.lang,Runtime,ProcessBuilder) targeting Confluence endpoints. - Host: Monitor process-spawning events from the Confluence Java process (e.g., unexpected
bash,cmd.exe,powershell, orcurlchild processes). - Logs: Check Confluence access logs for long or unusual URI strings containing encoded special characters, especially
/%24%7Bor/%25%7Bpatterns. - EDR: Alert on Java processes establishing unexpected outbound network connections or loading unknown classes.
Assessment
This CVE carries an EPSS score of 0.99999 (99.994th percentile), meaning empirical data shows near-universal exploitation probability. It was added to the CISA Known Exploited Vulnerabilities Catalog on 2022-06-02, and active exploitation was observed in the wild within hours of disclosure.
Lessons learned:
- Expression-language injection is high-impact when it leads to code execution. Platforms that embed OGNL, SpEL, or similar engines must rigorously sanitize user input before evaluation.
- Unauthenticated RCE on public-facing collaboration tools is a catastrophic exposure. Organizations should ensure these systems are not directly internet-facing without strict filtering, even when fully patched.
References
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
- https://jira.atlassian.com/browse/CONFSERVER-79016
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26134
- http://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/167431/Through-The-Wire-CVE-2022-26134-Confluence-Proof-Of-Concept.html
- http://packetstormsecurity.com/files/167432/Confluence-OGNL-Injection-Proof-Of-Concept.html
- http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html
Frequently asked questions
- What is CVE-2022-26134?
- In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
- How severe is CVE-2022-26134?
- CVE-2022-26134 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-26134 being actively exploited?
- Yes. CVE-2022-26134 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-06-02, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-26134?
- CVE-2022-26134 primarily affects Atlassian Confluence Data Center. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-26134?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-26134 have an EU (EUVD) identifier?
- Yes. CVE-2022-26134 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-30701. It is also flagged as exploited in the EUVD (since 2022-06-02).
- When was CVE-2022-26134 published?
- CVE-2022-26134 was published on 2022-06-03 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/167431/Through-The-Wire-CVE-2022-26134-Confluence-Proof-Of-Concept.html
- http://packetstormsecurity.com/files/167432/Confluence-OGNL-Injection-Proof-Of-Concept.html
- http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
- https://jira.atlassian.com/browse/CONFSERVER-79016
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26134
Affected products (4)
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*
More vulnerabilities in Atlassian Confluence Data Center
- CVE-2023-22527 — Critical (CVSS 9.8): A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated…
- CVE-2023-22518 — Critical (CVSS 9.8): All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper…
- CVE-2023-22515 — Critical (CVSS 9.8): Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have…
- CVE-2022-26136 — Critical (CVSS 9.8): A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used…
- CVE-2021-26084 — Critical (CVSS 9.8): In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an…
- CVE-2024-21683 — High (CVSS 8.8): This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center…
All CVEs affecting Atlassian Confluence Data Center →
Other CWE-917 vulnerabilities
- CVE-2025-3322 — Critical (CVSS 10.0): An improper neutralization of inputs used in expression language allows remote code execution with the highest…
- CVE-2022-22947 — Critical (CVSS 10.0): In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack…
- CVE-2026-11561 — Critical (CVSS 9.8): Improper neutralization of special elements used in an expression language statement ('expression language injection')…
- CVE-2026-22738 — Critical (CVSS 9.8): In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a…
- CVE-2026-24713 — Critical (CVSS 9.8): Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7,…
- CVE-2023-51593 — Critical (CVSS 9.8): Voltronic Power ViewPower Pro Expression Language Injection Remote Code Execution Vulnerability. This vulnerability…