Skip to content
feed: live about
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2022-26134

Atlassian Confluence OGNL Injection Remote Code Execution

An unauthenticated OGNL (Object-Graph Navigation Language) injection vulnerability in Atlassian Confluence Server and Data Center allows remote code execution on any accessible Confluence instance, with no authentication required.

cat cve-2022-26134.json
Vendor
Atlassian
Product
Confluence Server and Data Center
CVSS
9.8
Status
kev
Published

CVE-2022-26134 is a critical, unauthenticated OGNL injection vulnerability in Atlassian Confluence Server and Data Center, disclosed June 2, 2022 after Atlassian’s own security team, working with an incident responder, discovered it was already being actively exploited as a zero-day. Specially crafted input reaching a vulnerable Confluence endpoint could be evaluated as OGNL expressions, giving an unauthenticated remote attacker arbitrary code execution on the underlying server.

Why it mattered

Confluence is a documentation and internal-knowledge platform that, for most organizations that run it, holds an outsized share of institutional knowledge — architecture diagrams, credentials accidentally pasted into wiki pages, internal network documentation. It’s a frequent precursor target for ransomware operators specifically because compromising it yields both a foothold and reconnaissance material in one step. Within days of disclosure, mass internet scanning and exploitation attempts began, including webshell deployment and cryptomining payloads, against any Confluence instance left unpatched and internet-exposed.

Atlassian shipped emergency patches within roughly 48 hours of public disclosure and published interim mitigation steps (a WAF rule and a temporary workaround) for organizations unable to patch immediately. CISA added the CVE to its KEV catalog. Full technical detail and patch availability are in Atlassian’s security advisory and at the NVD link above.