CVE-2023-22515

CVE-2023-22515 is a critical-severity vulnerability in Atlassian Confluence Data Center with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-10-05). The underlying weakness is classified as CWE-20.

Key facts

Description

Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

CVE-2023-22515: Atlassian Confluence Critical Authentication Bypass Enables Unauthorized Admin Creation

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2023-22515
Vendor Atlassian
Product Confluence Data Center, Confluence Server
CVSS v3.1 9.8 (CRITICAL)
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-20 — Improper Input Validation
EPSS 0.99156 (99.16% probability of exploitation)
KEV Status Listed — added 2023-10-05
EU Exploited Confirmed — since 2023-10-05

Summary

Atlassian disclosed that external attackers exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and gain unrestricted access to instances. The flaw does not affect Atlassian Cloud sites hosted on atlassian.net domains. The vulnerability carries a CVSS v3.1 score of 9.8, driven by network attackability with no privileges or user interaction required, and delivers full confidentiality, integrity, and availability impact.

Background

Confluence is a widely deployed enterprise wiki and collaboration platform. Both self-managed Confluence Server and clustered Confluence Data Center editions expose web-facing setup and configuration endpoints that, in this case, failed to enforce proper authentication boundaries during specific state transitions. Atlassian acknowledged active, in-the-wild exploitation after multiple customer reports of unauthorized admin accounts appearing in their instances.

Root Cause

CWE-20: Improper Input Validation

The vulnerability stems from inadequate validation of incoming requests to Confluence setup endpoints. Specifically, an attacker could manipulate requests to the configuration/setup flow in a way that bypassed authentication requirements and reached privileged account-creation functionality. Because the application did not sufficiently validate or restrict the state and origin of these requests, unauthenticated actors could reach and execute admin-setup operations intended only for first-time installation.

Impact

The CVSS v3.1 metrics quantify severe, wide-reaching risk:

  • Attack Vector (AV): Network — Exploitable over the internet with no local access required.
  • Attack Complexity (AC): Low — No special conditions or advanced workarounds needed.
  • Privileges Required (PR): None — Fully unauthenticated.
  • User Interaction (UI): None — No victim action required.
  • Scope (S): Unchanged — Impact remains within the vulnerable Confluence instance.
  • Confidentiality (C): High — Full data access, including wiki content, attachments, and connected credentials.
  • Integrity (I): High — Attacker can modify pages, permissions, and configurations.
  • Availability (A): High — Attacker can degrade or take down the instance.

With an EPSS score of 0.99156 and confirmed KEV listing, exploitation is not theoretical — it is observed, ongoing, and highly probable for exposed instances.

Exploitation Walkthrough

Ethics caveat: This section describes the exploitation mechanism at a defensive, architectural level only. No weaponized code is provided. Security teams should use this knowledge to understand attacker tradecraft and prioritize patching.

  1. Reconnaissance: The attacker identifies a publicly reachable Confluence Server or Data Center instance, often through scanning for known Confluence paths (/login.action, /wiki, /confluence).
  2. Endpoint Access: The attacker sends crafted HTTP requests to setup or bootstrap endpoints that are intended to be reachable only during initial installation.
  3. State Manipulation: By supplying specific parameters and headers, the attacker coerces the application into treating the request as part of a legitimate setup flow, bypassing the expected authentication gate.
  4. Admin Account Creation: The attacker creates a new Confluence administrator account, granting persistent, privileged access to the instance.
  5. Post-Exploitation: With admin rights, the attacker may install plugins, exfiltrate data, modify content, pivot to connected systems, or establish backdoors.

Affected and Patched Versions

Atlassian has not published an exhaustive version matrix in the disclosed references, but the vulnerability affects Confluence Data Center and Server self-managed editions. Atlassian Cloud (hosted on atlassian.net) is not affected.

Administrators should consult the official Atlassian FAQ and security advisory (see References) for the definitive list of fixed versions and upgrade paths. As of the original disclosure, Atlassian released patches for supported LTS lines; instances running end-of-life versions should be upgraded immediately.

Remediation

  1. Upgrade immediately to a fixed version as specified in the Atlassian security advisory. Prioritize externally exposed instances.
  2. Verify no unauthorized admins exist by auditing the Confluence user directory and reviewing membership of the confluence-administrators group.
  3. Review access logs for suspicious requests to setup or configuration endpoints around and after 2023-10-04.
  4. Restrict network exposure — Confluence instances should not be directly internet-facing without a VPN, WAF, or IP allow-list.
  5. Compensating controls until patched:
    • Block external access to /setup* and similar bootstrap paths at the reverse proxy or WAF layer.
    • Enable multi-factor authentication (MFA) for all admin accounts.
    • Monitor for newly created admin accounts and unexpected privilege changes.

Detection

  • Log analysis: Hunt for HTTP requests to /setup* or /bootstrap* paths from unexpected source IPs, especially POST requests that result in 200 OK.
  • User directory audit: Query for admin accounts created outside of normal change windows or with suspicious email domains.
  • Network monitoring: Flag inbound traffic to Confluence from known scanning or VPS IP ranges followed by admin-level API activity.
  • EDR/XDR: Look for child processes spawned by the Confluence application user that are atypical (e.g., reverse shells, unusual Java plugin loads).

Assessment

CVE-2023-22515 is a textbook example of why externally exposed collaboration platforms remain high-value targets. The combination of low attack complexity, no authentication requirement, and confirmed active exploitation (CISA KEV and EU exploited-vulnerability database) places this in the highest remediation tier. The EPSS score of 0.99156 leaves little room for delay.

Key lessons:

  1. Setup endpoints are forever endpoints — authentication and lifecycle checks on installation/bootstrap paths must survive beyond the first-run context.
  2. Exposure equals exploitation — self-managed apps on the public internet without compensating controls are continuously probed; a single logic flaw becomes a mass-compromise event.

References

Frequently asked questions

What is CVE-2023-22515?
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
How severe is CVE-2023-22515?
CVE-2023-22515 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-22515 being actively exploited?
Yes. CVE-2023-22515 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-10-05, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-22515?
CVE-2023-22515 primarily affects Atlassian Confluence Data Center. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-22515?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-22515 have an EU (EUVD) identifier?
Yes. CVE-2023-22515 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-26655. It is also flagged as exploited in the EUVD (since 2023-10-05).
When was CVE-2023-22515 published?
CVE-2023-22515 was published on 2023-10-04 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Atlassian Confluence Data Center

All CVEs affecting Atlassian Confluence Data Center →

Other CWE-20 (Improper Input Validation) vulnerabilities

Browse all CWE-20 (Improper Input Validation) vulnerabilities →