CVE-2022-26134 – CVE-2022-26134 is a critical OGNL injection vul... (How to Fix)

Q: What is the severity of CVE-2022-26134?

CVE-2022-26134 has a CVSS score of 9.8 (CRITICAL). CVE-2022-26134 is a critical OGNL injection vulnerability in Atlassian Confluence Server and Data Center that allows unauthenticated attackers to execute arbitrary code remotely. This affects Confluence instances running vulnerable versions, potentially compromising the entire server. Organizations using affected Confluence versions for collaboration are at immediate risk.

📋 TL;DR

CVE-2022-26134 is a critical OGNL injection vulnerability in Atlassian Confluence Server and Data Center that allows unauthenticated attackers to execute arbitrary code remotely. This affects Confluence instances running vulnerable versions, potentially compromising the entire server. Organizations using affected Confluence versions for collaboration are at immediate risk.

💻 Affected Systems

Products:

Atlassian Confluence Server
Atlassian Confluence Data Center

Versions: From 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1

Operating Systems: All operating systems running Confluence

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the Confluence server, deploying ransomware, stealing sensitive data, and pivoting to internal networks.

🟠

Likely Case

Remote code execution leading to data theft, installation of backdoors, cryptocurrency miners, or disruption of Confluence services.

🟢

If Mitigated

Limited impact if network segmentation, WAF rules, and strict access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing instances extremely vulnerable to widespread attacks.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public proof-of-concept exploits available. Mass scanning and exploitation observed in the wild. Simple HTTP requests can trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 or later

Vendor Advisory: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

Restart Required: Yes

Instructions:

1. Backup your Confluence instance. 2. Download the appropriate fixed version from Atlassian. 3. Stop Confluence service. 4. Apply the patch/upgrade. 5. Restart Confluence service. 6. Verify the fix.

🔧 Temporary Workarounds

Block vulnerable endpoints via web server

all

Block access to the vulnerable endpoint to prevent exploitation

# For Apache: RewriteRule ^/.*\.jsp.*$ - [F,L]
# For Nginx: location ~ \.jsp$ { return 403; }

WAF rule to block OGNL injection patterns

all

Configure WAF to block requests containing OGNL injection patterns

# Example ModSecurity rule: SecRule ARGS "\$\{.*\}" "id:1001,phase:2,deny"

🧯 If You Can't Patch

Immediately isolate Confluence servers from internet and restrict network access
Implement strict network segmentation and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Confluence version via Admin → General Configuration or run: grep -i 'confluence.version' confluence/WEB-INF/classes/confluence-init.properties

Check Version:

cat confluence/WEB-INF/classes/confluence-init.properties | grep confluence.version

Verify Fix Applied:

Verify version is 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 or later

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to Confluence endpoints
Requests containing OGNL expressions like ${...}
Java process spawning unexpected child processes

Network Indicators:

HTTP requests with OGNL payloads in parameters
Unusual outbound connections from Confluence server

SIEM Query:

source="confluence.log" AND ("${*" OR "%24%7B*" OR "class.*forName" OR "Runtime.getRuntime")

📊 Metadata

CVE ID: CVE-2022-26134

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-917

Published: June 3, 2022

Last Updated: October 24, 2025

🔗 References

http://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/167431/Through-The-Wire-CVE-2022-26134-Confluence-Proof-Of-Concept.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/167432/Confluence-OGNL-Injection-Proof-Of-Concept.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html Vendor Advisory
https://jira.atlassian.com/browse/CONFSERVER-79016 Issue Tracking,Patch,Vendor Advisory
http://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/167431/Through-The-Wire-CVE-2022-26134-Confluence-Proof-Of-Concept.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/167432/Confluence-OGNL-Injection-Proof-Of-Concept.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html Vendor Advisory
https://jira.atlassian.com/browse/CONFSERVER-79016 Issue Tracking,Patch,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26134 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26134, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Data Center by Atlassian

Confluence Server by Atlassian

Confluence Server by Atlassian

Confluence Server by Atlassian

Confluence Server by Atlassian

Confluence Server by Atlassian

Confluence Server by Atlassian

Confluence Server by Atlassian

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Block vulnerable endpoints via web server

WAF rule to block OGNL injection patterns

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities