CVE-2023-22527
CVE-2023-22527 is a critical-severity vulnerability in Atlassian Confluence Data Center with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-01-24). The underlying weakness is classified as CWE-74.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-01-24)
- EU (EUVD) id: EUVD-2023-26667
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-01-24)
- Weakness: CWE-74
- Affected product: Atlassian Confluence Data Center
- Published:
- Last modified:
Description
A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.
CVE-2023-22527: Atlassian Confluence Unauthenticated Template Injection Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2023-22527 |
| Vendor | Atlassian |
| Product | Confluence Data Center and Server |
| CWE | CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CVSS 3.1 | 9.8 Critical |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS | 0.99984 (99.982nd percentile) |
| Known Exploited | Yes — CISA KEV added 2024-01-24 |
| Ransomware | Associated with ransomware campaigns |
| Assigner | [email protected] |
Summary
CVE-2023-22527 is an unauthenticated template injection vulnerability in Atlassian Confluence Data Center and Server that allows remote attackers to execute arbitrary code on the underlying server without credentials. The vulnerability has received a Critical CVSS 3.1 score of 9.8 and is under active exploitation in the wild.
Background
Atlassian Confluence is a widely deployed enterprise collaboration platform. Confluence uses server-side template rendering in some components. In affected versions, user-controlled input can reach the template engine and be evaluated as OGNL (Object-Graph Navigation Language) expressions, leading to unsafe code execution.
Root Cause
The vulnerability is classified as CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'). The root cause is the unsafe evaluation of user-controlled input within the server-side template context. Specifically, input vectors that reach the template engine are not properly sanitized before being interpreted as expressions, allowing an attacker to inject and execute arbitrary commands on the host system.
Impact
The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects the severity:
| Metric | Value | Interpretation |
|---|---|---|
| Attack Vector | Network | Exploitable over the internet |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | None | Unauthenticated |
| User Interaction | None | Fully automated |
| Scope | Unchanged | Impact remains within the vulnerable component |
| Confidentiality | High | Total information disclosure |
| Integrity | High | Total data integrity compromise |
| Availability | High | Total system availability compromise |
An unauthenticated attacker can achieve complete remote code execution, leading to full system compromise, data exfiltration, lateral movement, and deployment of ransomware.
Exploitation Walkthrough
Ethics caveat: This section is provided for defensive awareness and detection engineering only. Do not attempt to exploit systems you do not own or have explicit permission to test.
The attack chain follows a typical server-side template injection pattern:
- Reconnaissance — The attacker identifies an exposed Confluence instance running a vulnerable version.
- Injection — The attacker submits crafted input containing expression payloads to an endpoint that passes the input into a server-side template.
- Expression Evaluation — The template engine evaluates the injected content as executable code rather than literal data.
- Code Execution — The attacker gains remote code execution on the Confluence server, enabling subsequent payload delivery, persistence, and lateral movement.
Defensive teams should monitor for anomalous POST requests to Confluence endpoints, unexpected outbound connections from Confluence servers, and suspicious process spawning by the Confluence application user.
Affected and Patched Versions
According to the source data, older versions of Confluence Data Center and Server are affected. Atlassian's advisory notes that the most recent supported versions at the time of publication were not affected because the vulnerability was mitigated during regular version updates. NVD CPE entries list Confluence Data Center and Server broadly; specific upper-bound version ranges were not provided in the retrieved record. Administrators should consult the Atlassian security bulletin for definitive version guidance.
Remediation
- Upgrade — Atlassian recommends installing the latest supported version of Confluence Data Center or Server. Refer to the official Atlassian security bulletin for specific patch guidance.
- Compensating Controls — If immediate patching is not possible:
- Restrict network access to Confluence administration and internal endpoints to trusted IP ranges.
- Deploy a Web Application Firewall (WAF) with rules targeting template injection and expression-language injection patterns.
- Monitor Confluence logs for suspicious input containing OGNL metacharacters (
${,%{,@, etc.).
Detection
- Network — Monitor for unusual POST requests to Confluence endpoints with payloads containing expression markers.
- Endpoint — Alert on unexpected child processes spawned by the Confluence Java process.
- Logs — Review Confluence access logs for repeated requests from single sources with large or encoded payloads.
- Threat Intelligence — Correlate IP addresses attacking Confluence instances with known threat actor infrastructure linked to CVE-2023-22527 exploitation.
Assessment
With an EPSS score of 0.99984 (99.982nd percentile), this vulnerability is among the most likely to be exploited in the wild. CISA added it to the Known Exploited Vulnerabilities catalog on 2024-01-24, and it is associated with ransomware activity. The combination of unauthenticated network access, low attack complexity, and complete CIA triad impact makes this a patching priority.
Key lessons:
- Template engines must never evaluate user-controlled input directly; strict input validation and context-aware output encoding are essential.
- Active exploitation data (EPSS + KEV) should elevate patching timelines even when a vendor describes a vulnerability as already mitigated in current versions, because legacy instances often remain exposed.
References
- http://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.html
- https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615
- https://jira.atlassian.com/browse/CONFSERVER-93833
- https://www.vicarius.io/vsociety/posts/pwning-confluence-via-ognl-injection-for-fun-and-learning-cve-2023-22527
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22527
Frequently asked questions
- What is CVE-2023-22527?
- A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.
- How severe is CVE-2023-22527?
- CVE-2023-22527 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-22527 being actively exploited?
- Yes. CVE-2023-22527 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-01-24, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-22527?
- CVE-2023-22527 primarily affects Atlassian Confluence Data Center. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-22527?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-22527 have an EU (EUVD) identifier?
- Yes. CVE-2023-22527 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-26667. It is also flagged as exploited in the EUVD (since 2024-01-24).
- When was CVE-2023-22527 published?
- CVE-2023-22527 was published on 2024-01-16 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/176789/Atlassian-Confluence-SSTI-Injection.html
- https://confluence.atlassian.com/pages/viewpage.action?pageId=1333335615
- https://jira.atlassian.com/browse/CONFSERVER-93833
- https://www.vicarius.io/vsociety/posts/pwning-confluence-via-ognl-injection-for-fun-and-learning-cve-2023-22527
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22527
Affected products (3)
- cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_data_center:8.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
More vulnerabilities in Atlassian Confluence Data Center
- CVE-2023-22518 — Critical (CVSS 9.8): All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper…
- CVE-2023-22515 — Critical (CVSS 9.8): Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have…
- CVE-2022-26136 — Critical (CVSS 9.8): A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used…
- CVE-2022-26134 — Critical (CVSS 9.8): In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an…
- CVE-2021-26084 — Critical (CVSS 9.8): In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an…
- CVE-2024-21683 — High (CVSS 8.8): This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center…
All CVEs affecting Atlassian Confluence Data Center →
Other CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities
- CVE-2026-25586 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty…
- CVE-2026-25520 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped.…
- CVE-2025-20265 — Critical (CVSS 10.0): A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2025-20337 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2025-20281 — Critical (CVSS 10.0): A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to…
- CVE-2024-42472 — Critical (CVSS 10.0): Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious…
Browse all CWE-74 (Improper Neutralization of Special Elements (Injection)) vulnerabilities →