CVE-2023-22518

CVE-2023-22518 is a critical-severity vulnerability in Atlassian Confluence Data Center with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-11-07). The underlying weakness is classified as CWE-863.

Key facts

Description

All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to - but not limited to - full loss of confidentiality, integrity and availability.  Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

CVE-2023-22518: Critical Improper Authorization in Atlassian Confluence Data Center and Server

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2023-22518
Vendor Atlassian
Product Confluence Data Center, Confluence Server
CWE CWE-863: Improper Authorization
CVSS 3.1 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS 0.99999 (99.999th percentile)
KEV Yes — Added 2023-11-07
Published 2023-10-31
Last Modified 2026-06-17

Summary

CVE-2023-22518 is a critical improper authorization vulnerability affecting all versions of Atlassian Confluence Data Center and Server. An unauthenticated attacker can exploit this flaw to reset a Confluence instance and create a new instance administrator account. Once administrative access is obtained, the attacker can perform any action available to a Confluence administrator, resulting in complete compromise of confidentiality, integrity, and availability of the affected system.

Background

Atlassian Confluence is a widely deployed enterprise collaboration and wiki platform used by organizations to manage documentation, knowledge bases, and team collaboration. Confluence Data Center and Server are the self-hosted versions of the product, as opposed to Atlassian Cloud (atlassian.net hosted instances), which are not affected by this vulnerability. The flaw was disclosed on 2023-10-31 and rapidly escalated due to its trivial exploitability and high impact.

Root Cause

CWE-863: Improper Authorization

The vulnerability stems from a failure to properly enforce authorization checks on a critical endpoint. Specifically, the application allows unauthenticated requests to trigger a Confluence instance reset and subsequent administrator account creation without verifying that the requester possesses the necessary privileges. This represents a breakdown in the application's access control layer, where a sensitive administrative function is exposed to anonymous users.

Impact

The CVSS 3.1 score of 9.8 (Critical) reflects the severe nature of this vulnerability:

  • Attack Vector (AV): Network — exploitable remotely without physical access
  • Attack Complexity (AC): Low — no special conditions or circumventing protections required
  • Privileges Required (PR): None — fully unauthenticated exploitation
  • User Interaction (UI): None — no user interaction needed
  • Scope (S): Unchanged — impact remains within the vulnerable component
  • Confidentiality (C): High — total data exposure
  • Integrity (I): High — complete data and configuration modification possible
  • Availability (A): High — service can be rendered unavailable or fully repurposed

Successful exploitation grants the attacker full administrative control over the Confluence instance, enabling data exfiltration, backdoor installation, lateral movement, and denial of service.

Exploitation Walkthrough

⚠️ Ethics Notice: The following describes the exploitation mechanism at a defensive level to aid detection and mitigation. This information is provided for security research and defensive purposes only. Do not use this knowledge to attack systems without explicit authorization.

An attacker sends a specially crafted unauthenticated HTTP request to a vulnerable Confluence endpoint that triggers the instance reset workflow. The application processes the request without validating the user's identity or authorization level, leading to the destruction of existing configuration state and the presentation of the initial setup wizard. The attacker then completes the setup wizard to create a new administrator account, effectively seizing control of the instance.

No working exploit code is provided here. Organizations should prioritize patching and detection over attempting to reproduce the attack in production environments. Security teams may validate patch effectiveness in isolated test labs.

Affected and Patched Versions

Affected:

  • All versions of Atlassian Confluence Data Center
  • All versions of Atlassian Confluence Server

Not Affected:

  • Atlassian Cloud (hosted on atlassian.net domains)

Note: Specific patched version information was not available in the source data. Organizations should consult the Atlassian Security Advisory and apply the latest available updates for their Confluence installation.

Remediation

  1. Upgrade Immediately: Apply the latest security patches from Atlassian for Confluence Data Center and Server. Refer to the official Atlassian advisory for specific patched versions.
  2. Restrict Network Access: Limit Confluence instance access to trusted networks and authorized users via VPNs, IP allowlists, or reverse proxies.
  3. Monitor for Exploitation: Review access logs for unauthenticated requests to sensitive endpoints, unexpected instance resets, or unauthorized administrator account creation.
  4. Incident Response: If exploitation is suspected, assume full compromise. Isolate the instance, conduct forensic analysis, rotate all credentials, and rebuild from known-good backups if necessary.

Detection

  • Log Analysis: Monitor web server and Confluence application logs for anomalous unauthenticated POST requests to administrative endpoints.
  • Account Monitoring: Alert on new administrator account creation outside of scheduled maintenance windows.
  • Configuration Monitoring: Detect unexpected changes to Confluence instance configuration or database state.
  • Network Detection: Use IDS/IPS signatures or WAF rules to block known exploitation patterns targeting CVE-2023-22518.

Assessment

CVE-2023-22518 is an exceptionally dangerous vulnerability due to its unauthenticated nature, trivial exploitability, and complete system compromise outcome. With an EPSS score of 0.99999 and confirmed inclusion in both the CISA KEV catalog and EU Exploited Vulnerabilities Database (since 2023-11-07), this vulnerability has been actively exploited in the wild. The absence of privilege requirements or user interaction makes it a prime target for automated exploitation.

Key takeaways:

  1. Self-hosted Confluence instances require urgent patching — the risk of in-the-wild exploitation is near-certain.
  2. Organizations relying on Atlassian Cloud are protected by the SaaS boundary, highlighting the security trade-offs between self-hosted and cloud-managed deployments.

References

Frequently asked questions

What is CVE-2023-22518?
All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to - but not limited to - full loss of confidentiality, integrity and availability.  Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
How severe is CVE-2023-22518?
CVE-2023-22518 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-22518 being actively exploited?
Yes. CVE-2023-22518 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-11-07, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-22518?
CVE-2023-22518 primarily affects Atlassian Confluence Data Center. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-22518?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-22518 have an EU (EUVD) identifier?
Yes. CVE-2023-22518 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-26658. It is also flagged as exploited in the EUVD (since 2023-11-07).
When was CVE-2023-22518 published?
CVE-2023-22518 was published on 2023-10-31 and last updated on 2026-06-17.

References

Affected products (4)

More vulnerabilities in Atlassian Confluence Data Center

All CVEs affecting Atlassian Confluence Data Center →

Other CWE-863 (Incorrect Authorization) vulnerabilities

Browse all CWE-863 (Incorrect Authorization) vulnerabilities →