Atlassian Confluence Data Center and Server Broken Access Control
A broken-access-control vulnerability in Atlassian Confluence Data Center and Server allows a remote, unauthenticated attacker to create unauthorized Confluence administrator accounts and gain full access to affected instances.
- Vendor
- Atlassian
- Product
- Confluence Data Center and Server
- CVSS
- 10.0
- Status
- kev
- Published
CVE-2023-22515 is a maximum-severity broken-access-control vulnerability in Atlassian Confluence Data Center and Server. Exploitation lets a remote, unauthenticated attacker create new Confluence instance administrator accounts and access affected instances directly — no credentials required.
Atlassian disclosed the flaw on October 4, 2023, stating it had already observed active exploitation against a small number of customers prior to the public advisory. CISA added it to the Known Exploited Vulnerabilities catalog the same week, and Atlassian subsequently confirmed broader exploitation as proof-of-concept details circulated.
Why it mattered
Confluence is a default repository for internal documentation — credentials, architecture diagrams, incident runbooks, and other material attackers prize as a precursor to ransomware deployment or further lateral movement. A flaw that hands out admin accounts to anonymous attackers turns the wiki into a beachhead.
Atlassian’s security advisory and the NVD record above carry patch guidance and affected version ranges. Cloud-hosted Confluence sites were not affected.