CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 9 min read

CVE-2022-26134 Explained: Confluence Server Critical OGNL Zero-Day

A CVSS 10.0 pre-authentication OGNL injection zero-day in Atlassian Confluence Server and Data Center. Exploited in the wild before Atlassian had a patch. Immediate mass exploitation followed disclosure.

10.0
CVSS Score
Zero-Day
Disclosure Status
None
Auth Required
Hours
Time to Mass Exploitation

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2022-26134 is a maximum-severity (CVSS 10.0) OGNL injection vulnerability in Atlassian Confluence Server and Data Center that allows unauthenticated remote code execution. Unlike CVE-2021-26084, a similar OGNL vulnerability in the same product from the prior year, CVE-2022-26134 was disclosed as a zero-day with confirmed active exploitation already underway before Atlassian released patches.

Volexity, a cybersecurity incident response firm, discovered the vulnerability during an active intrusion investigation in late May 2022. They notified Atlassian on June 1; Atlassian published an advisory June 2 with an immediate recommendation to take Confluence offline or block all internet access while patches were developed. Patches were released June 3-6 depending on the affected version.

The Exploit: OGNL Injection via HTTP Request Path

CVE-2022-26134 is an OGNL (Object-Graph Navigation Language) injection vulnerability in Atlassian Confluence's HTTP request handling. The vulnerability allows an attacker to inject OGNL expressions directly into HTTP request URI paths that are processed by Confluence's WebWork action framework.

Unlike some template injection vulnerabilities that require a specific content type or parameter, CVE-2022-26134 exploits the URL path itself. A crafted HTTP GET or POST request with a malicious OGNL expression in the path triggers evaluation of that expression by the Confluence server before routing or authentication checks occur in certain code paths.

The OGNL expression executes in the context of the Confluence server process, with access to the Java runtime environment, system properties, and the ability to call arbitrary Java methods, including those that spawn operating system processes. The result is unauthenticated, pre-routing code execution on the Confluence server.

All supported versions of Confluence Server and Data Center before the patch releases are affected. This includes versions 1.3.0 through the patched versions, effectively every production Confluence Server and Data Center instance worldwide at the time of disclosure. Confluence Cloud instances hosted by Atlassian were not affected.

1

Identify Confluence Server instances

Scan internet-facing infrastructure for Confluence Server and Data Center deployments. Confluence's login page and error responses are distinctive. Shodan, Censys, and active scanning identified tens of thousands of exposed instances within hours of the advisory.

2

Send OGNL injection in URL path

Craft an HTTP GET or POST request where the URL path contains an OGNL expression. Send to any Confluence endpoint, authentication is not required, and the expression evaluates before authentication logic executes.

3

Execute OS command

The OGNL expression calls Java's Runtime.exec() or ProcessBuilder to execute an OS command as the operating system user running the Confluence process. On Linux deployments, this is typically the confluence OS user; on Windows, the application pool user.

4

Deploy implant or create reverse shell

First-wave exploitation deployed cryptomining software (XMRig), web shells, and Cobalt Strike beacons. Nation-state actors conducted targeted exploitation for espionage access to Confluence content before the vulnerability became public.

5

Harvest Confluence data

With RCE on Confluence, access all wiki pages, attachments, and the Confluence database, including potentially credentials, architecture documentation, source code repositories linked from Confluence, and internal operational data.

Zero-Day Exploitation Timeline and Threat Actor Activity

The timeline of CVE-2022-26134 is particularly notable because exploitation was confirmed before the advisory was published. Volexity discovered the vulnerability during a Memorial Day weekend incident response engagement for a customer whose Confluence server had been compromised.

The initial exploitation they observed deployed an in-memory web shell, an implant that existed only in the Confluence server's Java process memory, leaving no files on disk, making it particularly difficult to detect and attribute. The attacker appeared to have operational security practices consistent with sophisticated threat actors.

Between Atlassian's advisory on June 2 and patch availability on June 3-6, Atlassian's official guidance was to take Confluence offline entirely. Organizations that followed this guidance were protected. Those that kept vulnerable instances running faced immediate exploitation, within hours of the advisory, mass scanning activity was detected at internet scale.

Post-patch exploitation included cryptomining campaigns deploying XMRig, multiple ransomware affiliate probing campaigns building target lists, and nation-state actors attributed to Chinese cyber operations who appeared to have had prior knowledge of the vulnerability based on the sophistication of pre-advisory exploitation artifacts.

This is an OGNL injection vulnerability that affects Confluence Server and Data Center. An unauthenticated user can execute arbitrary code on a Confluence Server or Data Center instance.

Atlassian Security Advisory, CVE-2022-26134, June 2022
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Patching and Securing Against CVE-2022-26134

Patches were released between June 3 and June 6, 2022 depending on the Confluence version. For all unpatched systems, the priority is immediate patching or taking Confluence offline.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2022-26134 is the second critical OGNL injection zero-day in Confluence in less than a year, following CVE-2021-26084 in August 2021. The same product, the same vulnerability class, both scores of 9.8 or 10.0, both exploited within hours of public knowledge. This pattern should inform how organizations treat Confluence patching going forward.

Confluence is not a low-risk internal wiki. It is a high-value target because of what it contains: credentials, architecture documentation, process runbooks, and connectivity to code repositories. Nation-state actors treat it as an intelligence collection target. Ransomware operators treat it as an initial access vector. Both groups have demonstrated they will zero-day it when the opportunity exists.

The answer is not to avoid Confluence, it is to treat it as a critical-risk application requiring the same patching urgency, network segmentation, and access control rigor as production systems.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2022-26134 and how is it exploited?

CVE-2022-26134 is a CVSS 10.0 OGNL injection vulnerability in Atlassian Confluence Server and Data Center. An unauthenticated attacker embeds an OGNL expression directly in the URL path of an HTTP request. Confluence processes the path before authentication logic runs, evaluating the OGNL expression and executing arbitrary OS commands as the Confluence process user. This vulnerability was disclosed as a zero-day on June 2, 2022, with confirmed active exploitation already underway before Atlassian published the advisory.

How do I fix CVE-2022-26134?

Upgrade Confluence Server or Data Center to version 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, or 7.18.1 depending on your version train. If immediate patching is not possible, take Confluence offline entirely or block all internet access to the instance, the exploit requires only HTTP access to Confluence. Search access logs for OGNL syntax in URL paths (${, %{) and check for in-memory web shells using memory forensics tools.

Was CVE-2022-26134 exploited before the patch was available?

Yes. Volexity discovered CVE-2022-26134 during an active incident response engagement and notified Atlassian on June 1, 2022. Atlassian published an advisory June 2, before patches were available, recommending taking Confluence offline. The initial exploitation Volexity observed deployed an in-memory web shell (no files on disk), suggesting a sophisticated threat actor with prior access to the zero-day. Widespread mass exploitation by opportunistic actors began within hours of the public advisory.

How is CVE-2022-26134 different from CVE-2021-26084, the prior Confluence OGNL vulnerability?

Both CVE-2022-26134 and CVE-2021-26084 are OGNL injection vulnerabilities in Atlassian Confluence that achieve unauthenticated RCE. The key difference is that CVE-2022-26134 was a zero-day: disclosed with active exploitation already confirmed before Atlassian had patches available, while CVE-2021-26084 was disclosed alongside a patch. CVE-2022-26134 scores 10.0 CVSS vs 9.8 for CVE-2021-26084, reflecting slightly broader exploitability. The fact that Atlassian suffered two critical OGNL injections in the same product within 10 months indicates a systemic issue with OGNL expression handling across the Confluence codebase.

Is Confluence Cloud (Atlassian-hosted) affected by CVE-2022-26134?

No. Confluence Cloud instances hosted by Atlassian on atlassian.net are not affected by CVE-2022-26134. Atlassian manages and patches Cloud infrastructure directly. Only self-hosted Confluence Server and self-hosted Confluence Data Center deployments are vulnerable. Organizations that had migrated entirely to Confluence Cloud before June 2022 were not exposed. Hybrid environments where Confluence Data Center runs internally may still be affected if those instances were not patched during the June 2022 window.

What should I do if my Confluence Server was internet-exposed before patching CVE-2022-26134?

Treat the instance as compromised and perform a full incident response investigation before returning it to production use. Review access logs for OGNL expression patterns in URL paths (search for ${ and %{ characters in URL fields). Perform memory forensics if possible to check for in-memory implants, since the initial Volexity-observed exploitation deployed a fileless web shell. Rotate all credentials that Confluence users know, all service account passwords, and any secrets stored in Confluence pages (API keys, database passwords, SSH keys). Assess regulatory notification obligations if Confluence stored personal data.

Sources & references

  1. NVD
  2. Atlassian Advisory
  3. Volexity Discovery

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.