Atlassian Confluence is the wiki and knowledge base at the center of countless engineering and operations teams, which makes it a high-value target and a magnet for internal secrets. CVE-2022-26134 is an unauthenticated OGNL injection vulnerability in Confluence Server and Data Center that leads to remote code execution, and the NVD rates it CVSS 3.x 9.8 (Critical). What sets this one apart is that it was discovered as an active zero-day: attackers were exploiting it in the wild before Atlassian had a patch.
Timeline and impact
The incident began when Volexity investigated a compromise over the U.S. Memorial Day weekend in late May 2022 and traced it to a previously unknown Confluence flaw. Atlassian published its advisory on June 2, 2022, initially with no fixed version available, an unusual and alarming state for a CVSS 9.8 bug, and released patched versions shortly after. Volexity received credit for the discovery.
Because working details and proof-of-concept exploits circulated within roughly a day of disclosure, and because a large number of Confluence instances are internet-facing, exploitation exploded almost immediately. Attackers deployed web shells (including Behinder and China Chopper variants), cryptominers, and ransomware, and used compromised Confluence servers as footholds into internal networks. CISA added CVE-2022-26134 to its Known Exploited Vulnerabilities catalog and issued guidance urging federal agencies to take affected instances offline until patched, one of the strongest signals a vulnerability can receive.
Root cause
OGNL (Object-Graph Navigation Language) is an expression language used inside Confluence's Java web framework to evaluate dynamic expressions, for example to resolve values in templates and navigation. The vulnerability is that attacker-controlled input placed in the request URI was passed into the OGNL evaluation engine without adequate sanitization. Because OGNL expressions can reach Java runtime objects, an expression that resolves the runtime and invokes a command executes on the server with the privileges of the Confluence process.
Crucially, the vulnerable evaluation happened before authentication, so no valid session or credentials were needed, an attacker simply sent a single crafted request. The conceptual shape of the attack, not a working payload, looks like this:
An unauthenticated HTTP request whose URI path contains an OGNL
expression of the form ${ ...expression that reaches the Java
runtime and executes a command... }
The server evaluates the expression and runs the command as the
Confluence service user.
Confluence's fix stopped user-controlled input in that path from reaching the OGNL evaluator.
Which versions were affected
CVE-2022-26134 affected all supported versions of Confluence Server and Data Center, with the vulnerable behavior present in releases after 1.3.0, effectively meaning that a default, up-to-date-on-its-branch instance was still exposed until patched. This universality is what made the disclosure so urgent: there was no "you are probably fine" configuration.
Detection
- Determine your exact Confluence version and edition (Server or Data Center) and compare against the fixed releases below.
- Review access logs for suspicious requests, especially unauthenticated requests whose URI paths contain OGNL-style expression syntax or unusual encoded characters, and unexpected responses from endpoints that should require authentication.
- Hunt for post-exploitation artifacts: newly written files under the Confluence web directories, unfamiliar Java child processes spawned by the Confluence service, and outbound connections to unknown hosts.
- Track the Confluence component in your asset and software inventory so a future critical advisory maps instantly to the instances you run.
Remediation and patched versions
Upgrade to a fixed release: Confluence 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, or 7.18.1 (or any later release on a supported branch). Given that exploitation was already underway at disclosure, treat any internet-facing instance that was unpatched during that window as potentially compromised: patch, then investigate for web shells and persistence, rotate credentials and tokens that the Confluence server had access to, and review connected integrations. Where an immediate upgrade was impossible, the interim guidance was to restrict network access to the instance or take it offline, patching remained the only durable fix. Atlassian Cloud instances were not affected in the same way as self-managed Server and Data Center deployments.
How Safeguard helps
CVE-2022-26134 shows why your inventory has to include the platforms and services you run, not just the libraries you compile in. Safeguard tracks components like Confluence inside your software and asset inventories and correlates every one against the CISA KEV catalog and live exploit intelligence, so the moment an actively exploited, patch-available advisory lands you can see exactly which deployments are affected and prioritize them above the noise. For teams that run Confluence or similar Java applications as containers, Safeguard's container scanning flags images pinned below a fixed version, and software composition analysis applies the same KEV-aware ranking to the Java and other dependencies your own applications bundle. Policy gates can block a deployment that ships a known-exploited component version. If you are evaluating platforms, the comparison overview covers how prioritization and coverage differ.
Zero-day exploitation moves in hours, your visibility has to move faster. Get started free or read the documentation.
Frequently Asked Questions
What is OGNL injection?
OGNL (Object-Graph Navigation Language) is an expression language embedded in some Java web frameworks to evaluate dynamic expressions at runtime. OGNL injection happens when attacker-controlled input is passed into the OGNL evaluator without sanitization. Because OGNL expressions can reach Java runtime objects and methods, an injected expression can execute arbitrary commands on the server, which is exactly what CVE-2022-26134 allowed in Confluence.
Which Confluence versions fix CVE-2022-26134?
Upgrade to Confluence 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, or 7.18.1, or any later release on a supported branch. These versions stop unauthenticated user input in the request path from reaching the OGNL evaluation engine. Because all supported Server and Data Center versions were vulnerable, staying current on a branch was not sufficient until one of these patched builds was applied.
Was CVE-2022-26134 a zero-day?
Yes. It was discovered by Volexity while investigating an active compromise, meaning attackers were exploiting it before a patch existed. Atlassian's June 2, 2022 advisory initially listed no fixed version, and public proof-of-concept exploits followed within about a day, driving immediate mass exploitation. That is why any internet-facing instance unpatched during the window should be treated as potentially compromised.
Were Atlassian Cloud Confluence instances affected?
The critical exposure was in self-managed Confluence Server and Data Center deployments, which customers run and patch themselves. Atlassian Cloud instances were not affected in the same way. If you run Confluence on your own infrastructure, you are responsible for applying the fixed version and for investigating any instance that was reachable and unpatched during the active-exploitation window.