On June 2, 2022, Atlassian published a security advisory for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Data Center. The advisory was unusual in one important respect: it disclosed the vulnerability without a patch. Atlassian was aware of active exploitation and decided that disclosure without a fix was better than silence.
The vulnerability was an Object-Graph Navigation Language (OGNL) injection flaw — the same class of vulnerability that had plagued Apache Struts for years. For any organization running on-premise Confluence, it was an immediate crisis.
Discovery and Timeline
Volexity, a cybersecurity firm specializing in incident response, discovered CVE-2022-26134 during a Memorial Day weekend investigation of a customer's compromised Confluence server. They found that attackers were exploiting a previously unknown vulnerability to execute arbitrary commands on the server.
- May 26-28, 2022: Volexity investigates suspicious activity on a customer's Confluence server
- May 31, 2022: Volexity confirms a zero-day vulnerability and reports it to Atlassian
- June 2, 2022: Atlassian publishes security advisory without a patch; CISA adds CVE-2022-26134 to its Known Exploited Vulnerabilities catalog and orders federal agencies to disconnect Confluence instances from the internet
- June 3, 2022: Atlassian releases patches (versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1)
- June 4-5, 2022: Mass exploitation begins as proof-of-concept exploits are published
The Vulnerability
CVE-2022-26134 was an OGNL injection vulnerability in Confluence's handling of HTTP requests. OGNL is an expression language used by the Java web framework that Confluence is built on. The vulnerability allowed an attacker to inject OGNL expressions through specially crafted URLs, which the server would evaluate — executing arbitrary Java code in the process.
The exploit was devastatingly simple. An attacker could achieve RCE with a single HTTP request:
GET /${%23a=(new+java.lang.ProcessBuilder(new+java.lang.String[]{"id"})).redirectErrorStream(true).start(),%23b=%23a.getInputStream(),%23c=new+java.io.InputStreamReader(%23b),%23d=new+java.io.BufferedReader(%23c),%23e=new+char[50000],%23d.read(%23e),%23matt=%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.setHeader('X-Cmd-Response',%23e)}/
This request would execute the id command on the server and return the output in an HTTP response header. Replacing id with any other command gave the attacker full control of the server.
No authentication was required. Any Confluence Server instance accessible from the network could be exploited.
CVSS: 9.8 (Critical)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Active Exploitation
Volexity's investigation revealed that attackers had been exploiting CVE-2022-26134 before the public disclosure. The initial attacks involved:
- Webshell deployment: Attackers wrote JSP webshells to disk for persistent access
- Credential harvesting: Confluence databases contain user credentials, LDAP configurations, and often integration tokens for other Atlassian products
- Lateral movement: Attackers used Confluence access to pivot to other internal systems
- Cryptocurrency mining: Some attackers deployed miners as a quick monetization strategy
After the CVE was published, exploitation exploded. Rapid7 observed hundreds of unique IP addresses scanning for vulnerable Confluence instances within 24 hours of the PoC release. By June 6, multiple threat actors, including suspected nation-state groups, were actively exploiting the vulnerability.
The OGNL Pattern
CVE-2022-26134 was not the first OGNL injection in Atlassian products, and it was not the first in Java web applications generally:
- CVE-2017-5638: OGNL injection in Apache Struts, used in the Equifax breach
- CVE-2021-26084: OGNL injection in Confluence Server (a different vulnerability from the same class)
- CVE-2022-26134: The current vulnerability
The recurring pattern suggests that OGNL injection is a systemic risk in Java applications that use the OGNL expression language. The fundamental issue — allowing untrusted input to be evaluated as code — is a variant of injection that has proven difficult to eliminate.
Impact on Organizations
Confluence is widely used as an internal wiki and knowledge management platform. A compromised Confluence instance typically contains:
- Internal documentation including architecture diagrams, runbooks, and procedures
- Credentials and secrets embedded in pages (API keys, database passwords)
- Personnel information (org charts, contact details, project assignments)
- Business-sensitive content (roadmaps, financial planning, legal documents)
For attackers, a compromised Confluence server is an intelligence goldmine. Even if lateral movement is unsuccessful, the information harvested from Confluence pages alone can be extremely valuable.
Remediation
Immediate Actions
- Patch immediately to the latest Confluence version
- If patching is not possible, restrict network access to Confluence or take it offline
- Check for webshells in the Confluence installation directory
- Review Confluence access logs for exploitation indicators (OGNL expressions in URLs)
- Rotate all credentials stored in Confluence pages
Long-Term Actions
- Implement WAF rules that block OGNL injection patterns in HTTP requests
- Move to Confluence Cloud — cloud instances were not affected by this vulnerability
- Segment Confluence behind a VPN or zero-trust access proxy
- Establish patching SLAs for critical web applications — Confluence should be patchable within 24 hours of a critical CVE
How Safeguard.sh Helps
Safeguard.sh monitors your infrastructure for vulnerable software versions, including self-hosted applications like Confluence. When zero-day vulnerabilities are disclosed, our platform alerts you immediately with specific remediation guidance. Our SBOM and vulnerability tracking capabilities extend beyond application dependencies to include the platforms and tools your development team relies on, ensuring comprehensive coverage of your attack surface.