CVE-2023-22515
CVE-2023-22515 is a critical-severity vulnerability in Atlassian Confluence Data Center with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-10-05). The underlying weakness is classified as CWE-20.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 99% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-10-05)
- EU (EUVD) id: EUVD-2023-26655
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-10-05)
- Weakness: CWE-20
- Affected product: Atlassian Confluence Data Center
- Published:
- Last modified:
Description
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
CVE-2023-22515: Atlassian Confluence Critical Authentication Bypass Enables Unauthorized Admin Creation
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2023-22515 |
| Vendor | Atlassian |
| Product | Confluence Data Center, Confluence Server |
| CVSS v3.1 | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-20 — Improper Input Validation |
| EPSS | 0.99156 (99.16% probability of exploitation) |
| KEV Status | Listed — added 2023-10-05 |
| EU Exploited | Confirmed — since 2023-10-05 |
Summary
Atlassian disclosed that external attackers exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and gain unrestricted access to instances. The flaw does not affect Atlassian Cloud sites hosted on atlassian.net domains. The vulnerability carries a CVSS v3.1 score of 9.8, driven by network attackability with no privileges or user interaction required, and delivers full confidentiality, integrity, and availability impact.
Background
Confluence is a widely deployed enterprise wiki and collaboration platform. Both self-managed Confluence Server and clustered Confluence Data Center editions expose web-facing setup and configuration endpoints that, in this case, failed to enforce proper authentication boundaries during specific state transitions. Atlassian acknowledged active, in-the-wild exploitation after multiple customer reports of unauthorized admin accounts appearing in their instances.
Root Cause
CWE-20: Improper Input Validation
The vulnerability stems from inadequate validation of incoming requests to Confluence setup endpoints. Specifically, an attacker could manipulate requests to the configuration/setup flow in a way that bypassed authentication requirements and reached privileged account-creation functionality. Because the application did not sufficiently validate or restrict the state and origin of these requests, unauthenticated actors could reach and execute admin-setup operations intended only for first-time installation.
Impact
The CVSS v3.1 metrics quantify severe, wide-reaching risk:
- Attack Vector (AV): Network — Exploitable over the internet with no local access required.
- Attack Complexity (AC): Low — No special conditions or advanced workarounds needed.
- Privileges Required (PR): None — Fully unauthenticated.
- User Interaction (UI): None — No victim action required.
- Scope (S): Unchanged — Impact remains within the vulnerable Confluence instance.
- Confidentiality (C): High — Full data access, including wiki content, attachments, and connected credentials.
- Integrity (I): High — Attacker can modify pages, permissions, and configurations.
- Availability (A): High — Attacker can degrade or take down the instance.
With an EPSS score of 0.99156 and confirmed KEV listing, exploitation is not theoretical — it is observed, ongoing, and highly probable for exposed instances.
Exploitation Walkthrough
Ethics caveat: This section describes the exploitation mechanism at a defensive, architectural level only. No weaponized code is provided. Security teams should use this knowledge to understand attacker tradecraft and prioritize patching.
- Reconnaissance: The attacker identifies a publicly reachable Confluence Server or Data Center instance, often through scanning for known Confluence paths (
/login.action,/wiki,/confluence). - Endpoint Access: The attacker sends crafted HTTP requests to setup or bootstrap endpoints that are intended to be reachable only during initial installation.
- State Manipulation: By supplying specific parameters and headers, the attacker coerces the application into treating the request as part of a legitimate setup flow, bypassing the expected authentication gate.
- Admin Account Creation: The attacker creates a new Confluence administrator account, granting persistent, privileged access to the instance.
- Post-Exploitation: With admin rights, the attacker may install plugins, exfiltrate data, modify content, pivot to connected systems, or establish backdoors.
Affected and Patched Versions
Atlassian has not published an exhaustive version matrix in the disclosed references, but the vulnerability affects Confluence Data Center and Server self-managed editions. Atlassian Cloud (hosted on atlassian.net) is not affected.
Administrators should consult the official Atlassian FAQ and security advisory (see References) for the definitive list of fixed versions and upgrade paths. As of the original disclosure, Atlassian released patches for supported LTS lines; instances running end-of-life versions should be upgraded immediately.
Remediation
- Upgrade immediately to a fixed version as specified in the Atlassian security advisory. Prioritize externally exposed instances.
- Verify no unauthorized admins exist by auditing the Confluence user directory and reviewing membership of the
confluence-administratorsgroup. - Review access logs for suspicious requests to setup or configuration endpoints around and after 2023-10-04.
- Restrict network exposure — Confluence instances should not be directly internet-facing without a VPN, WAF, or IP allow-list.
- Compensating controls until patched:
- Block external access to
/setup*and similar bootstrap paths at the reverse proxy or WAF layer. - Enable multi-factor authentication (MFA) for all admin accounts.
- Monitor for newly created admin accounts and unexpected privilege changes.
- Block external access to
Detection
- Log analysis: Hunt for HTTP requests to
/setup*or/bootstrap*paths from unexpected source IPs, especiallyPOSTrequests that result in200 OK. - User directory audit: Query for admin accounts created outside of normal change windows or with suspicious email domains.
- Network monitoring: Flag inbound traffic to Confluence from known scanning or VPS IP ranges followed by admin-level API activity.
- EDR/XDR: Look for child processes spawned by the Confluence application user that are atypical (e.g., reverse shells, unusual Java plugin loads).
Assessment
CVE-2023-22515 is a textbook example of why externally exposed collaboration platforms remain high-value targets. The combination of low attack complexity, no authentication requirement, and confirmed active exploitation (CISA KEV and EU exploited-vulnerability database) places this in the highest remediation tier. The EPSS score of 0.99156 leaves little room for delay.
Key lessons:
- Setup endpoints are forever endpoints — authentication and lifecycle checks on installation/bootstrap paths must survive beyond the first-run context.
- Exposure equals exploitation — self-managed apps on the public internet without compensating controls are continuously probed; a single logic flaw becomes a mass-compromise event.
References
- https://confluence.atlassian.com/display/KB/FAQ+for+CVE-2023-22515
- https://confluence.atlassian.com/pages/viewpage.action?pageId=1295682276
- https://jira.atlassian.com/browse/CONFSERVER-92475
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22515
- http://packetstormsecurity.com/files/175225/Atlassian-Confluence-Unauthenticated-Remote-Code-Execution.html
Frequently asked questions
- What is CVE-2023-22515?
- Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
- How severe is CVE-2023-22515?
- CVE-2023-22515 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-22515 being actively exploited?
- Yes. CVE-2023-22515 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-10-05, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-22515?
- CVE-2023-22515 primarily affects Atlassian Confluence Data Center. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-22515?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-22515 have an EU (EUVD) identifier?
- Yes. CVE-2023-22515 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-26655. It is also flagged as exploited in the EUVD (since 2023-10-05).
- When was CVE-2023-22515 published?
- CVE-2023-22515 was published on 2023-10-04 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/175225/Atlassian-Confluence-Unauthenticated-Remote-Code-Execution.html
- https://confluence.atlassian.com/display/KB/FAQ+for+CVE-2023-22515
- https://confluence.atlassian.com/pages/viewpage.action?pageId=1295682276
- https://jira.atlassian.com/browse/CONFSERVER-92475
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22515
Affected products (2)
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
More vulnerabilities in Atlassian Confluence Data Center
- CVE-2023-22527 — Critical (CVSS 9.8): A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated…
- CVE-2023-22518 — Critical (CVSS 9.8): All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper…
- CVE-2022-26136 — Critical (CVSS 9.8): A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used…
- CVE-2022-26134 — Critical (CVSS 9.8): In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an…
- CVE-2021-26084 — Critical (CVSS 9.8): In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an…
- CVE-2024-21683 — High (CVSS 8.8): This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center…
All CVEs affecting Atlassian Confluence Data Center →
Other CWE-20 (Improper Input Validation) vulnerabilities
- CVE-2026-48316 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48055 — Critical (CVSS 10.0): Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and…
- CVE-2026-34910 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS…
- CVE-2026-33587 — Critical (CVSS 10.0): Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and…
Browse all CWE-20 (Improper Input Validation) vulnerabilities →