Back to KEVs

CVE-2022-26134

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to...

Basic Information

CVE State
PUBLISHED
Reserved Date
February 25, 2022
Published Date
June 03, 2022
Last Updated
February 04, 2025
Vendor
Atlassian
Product
Confluence Data Center, Confluence Server
Description
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
Tags
cisa malware ransomware nuclei_scanner fancy_bear metasploit_scanner

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-05-05 00:00:00 UTC) Source
Seen in APT Campaigns
Yes (added 2022-02-01 00:00:00 UTC) (Fancy Bear) Source
Proof of Concept Available
Yes (added 2022-12-25 15:29:14 UTC) Source
Used in Malware
Yes (added 2022-06-02 00:00:00 UTC) Source

References

https://jira.atlassian.com/browse/CONFSERVER-79016 http://packetstormsecurity.com/files/167432/Confluence-OGNL-Injection-Proof-Of-Concept.html http://packetstormsecurity.com/files/167430/Confluence-OGNL-Injection-Remote-Code-Execution.html http://packetstormsecurity.com/files/167431/Through-The-Wire-CVE-2022-26134-Confluence-Proof-Of-Concept.html http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

Known Exploited Vulnerability Information

Source Added Date
CISA 2022-06-02 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/atlassian_confluence_namespace_ognl_injection.rb 2025-04-29 11:01:20 UTC
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-26134.yaml 2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

atlassian_confluence_namespace_ognl_injection

Type: metasploit • Created: Unknown

Metasploit module for CVE-2022-26134

MaskCyberSecurityTeam/CVE-2022-26134_Behinder_MemShell

Type: github • Created: 2023-02-04 06:51:47 UTC • Stars: 9

cbk914/CVE-2022-26134_check

Type: github • Created: 2023-01-15 20:11:27 UTC • Stars: 3

wjlin0/CVE-2022-26134

Type: github • Created: 2022-12-25 15:29:14 UTC • Stars: 0

CVE-2022-26134 GO POC 练习

b4dboy17/CVE-2022-26134

Type: github • Created: 2022-10-24 19:00:25 UTC • Stars: 2

yigexioabai/CVE-2022-26134-cve1

Type: github • Created: 2022-10-15 06:01:53 UTC • Stars: 0

skhalsa-sigsci/CVE-2022-26134-LAB

Type: github • Created: 2022-10-09 17:15:07 UTC • Stars: 3

Detecting CVE-2022-26134 using Nuclei

shiftsansan/CVE-2022-26134-Console

Type: github • Created: 2022-08-22 09:40:43 UTC • Stars: 0

CVE-2022-26134-Console

keven1z/CVE-2022-26134

Type: github • Created: 2022-07-23 14:38:11 UTC • Stars: 7

远程攻击者在Confluence未经身份验证的情况下,可构造OGNL表达式进行注入,实现在Confluence Server或Data Center上执行任意代码,在现有脚本上修改了poc,方便getshell。

twoning/CVE-2022-26134-PoC

Type: github • Created: 2022-07-14 01:28:16 UTC • Stars: 2

CVE-2022-26134-PoC

coskper-papa/CVE-2022-26134

Type: github • Created: 2022-07-08 12:24:21 UTC • Stars: 1

confluence rce

Debajyoti0-0/CVE-2022-26134

Type: github • Created: 2022-07-05 07:04:50 UTC • Stars: 2

Atlassian Confluence (CVE-2022-26134) - Unauthenticated OGNL injection vulnerability (RCE).

nxtexploit/CVE-2022-26134

Type: github • Created: 2022-07-05 04:30:42 UTC • Stars: 26

Atlassian Confluence (CVE-2022-26134) - Unauthenticated Remote code execution (RCE)

ColdFusionX/CVE-2022-26134

Type: github • Created: 2022-06-24 10:33:13 UTC • Stars: 2

Atlassian Confluence OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)

kh4sh3i/CVE-2022-26134

Type: github • Created: 2022-06-21 11:49:48 UTC • Stars: 4

[PoC] Atlassian Confluence (CVE-2022-26134) - Unauthenticated OGNL injection vulnerability (RCE)

AmoloHT/CVE-2022-26134

Type: github • Created: 2022-06-19 13:50:22 UTC • Stars: 14

「💥」CVE-2022-26134 - Confluence Pre-Auth RCE

Chocapikk/CVE-2022-26134

Type: github • Created: 2022-06-13 23:01:39 UTC • Stars: 4

CVE-2022-26134 - Pre-Auth Remote Code Execution via OGNL Injection

murataydemir/CVE-2022-26134

Type: github • Created: 2022-06-10 09:52:22 UTC • Stars: 1

[CVE-2022-26134] Confluence Pre-Auth Object-Graph Navigation Language (OGNL) Injection

cai-niao98/CVE-2022-26134

Type: github • Created: 2022-06-09 02:11:58 UTC • Stars: 3

CVE-2022-26134

Y000o/Confluence-CVE-2022-26134

Type: github • Created: 2022-06-07 16:42:36 UTC • Stars: 4

whokilleddb/CVE-2022-26134-Confluence-RCE

Type: github • Created: 2022-06-07 11:17:25 UTC • Stars: 12

Exploit for CVE-2022-26134: Confluence Pre-Auth Remote Code Execution via OGNL Injection

alcaparra/CVE-2022-26134

Type: github • Created: 2022-06-07 10:36:11 UTC • Stars: 4

CVE-2022-26134 Confluence OGNL Injection POC

BeichenDream/CVE-2022-26134-Godzilla-MEMSHELL

Type: github • Created: 2022-06-07 09:19:02 UTC • Stars: 337

li8u99/CVE-2022-26134

Type: github • Created: 2022-06-07 06:57:02 UTC • Stars: 4

Atlassian Confluence 远程代码执行漏洞(CVE-2022-26134)

CatAnnaDev/CVE-2022-26134

Type: github • Created: 2022-06-06 16:45:35 UTC • Stars: 3

archanchoudhury/Confluence-CVE-2022-26134

Type: github • Created: 2022-06-06 06:16:47 UTC • Stars: 4

This repository talks about Zero-Day Exploitation of Atlassian Confluence, it's defense and analysis point of view from a SecOps or Blue Team perspective

hev0x/CVE-2022-26134

Type: github • Created: 2022-06-06 02:43:06 UTC • Stars: 40

Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134)

abhishekmorla/CVE-2022-26134

Type: github • Created: 2022-06-05 20:35:38 UTC • Stars: 10

Vulnmachines/Confluence-CVE-2022-26134

Type: github • Created: 2022-06-05 12:23:34 UTC • Stars: 3

SNCKER/CVE-2022-26134

Type: github • Created: 2022-06-04 11:16:28 UTC • Stars: 28

[CVE-2022-26134]Confluence OGNL expression injected RCE with sandbox bypass.

shamo0/CVE-2022-26134

Type: github • Created: 2022-06-04 10:44:38 UTC • Stars: 1

Confluence Server and Data Center - CVE-2022-26134 - Critical severity unauthenticated remote code execution vulnerability PoC

Brucetg/CVE-2022-26134

Type: github • Created: 2022-06-04 10:27:50 UTC • Stars: 2

(CVE-2022-26134)an unauthenticated and remote OGNL injection vulnerability resulting in code execution in the context of the Confluence server

kyxiaxiang/CVE-2022-26134

Type: github • Created: 2022-06-04 05:46:48 UTC • Stars: 3

crowsec-edtech/CVE-2022-26134

Type: github • Created: 2022-06-03 19:24:30 UTC • Stars: 32

CVE-2022-26134 - Confluence Pre-Auth RCE | OGNL injection

offlinehoster/CVE-2022-26134

Type: github • Created: 2022-06-03 08:01:49 UTC • Stars: 8

Information and scripts for the confluence CVE-2022-26134

Timeline

  • Used in Fancy Bear APT Campaign

  • CVE ID Reserved

  • Exploit Used in Malware

  • Added to KEVIntel

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Detected by Nuclei

  • Detected by Metasploit