CVE-2022-26134 Overview
CVE-2022-26134 is a critical OGNL (Object-Graph Navigation Language) injection vulnerability affecting Atlassian Confluence Server and Data Center. This vulnerability allows an unauthenticated attacker to execute arbitrary code on vulnerable Confluence instances through specially crafted HTTP requests. The flaw exists in the way Confluence processes certain URL parameters, enabling attackers to inject malicious OGNL expressions that are evaluated by the server.
This vulnerability is particularly dangerous because it requires no authentication and can be exploited remotely over the network. Attackers can leverage this flaw to gain complete control over affected systems, potentially compromising sensitive corporate data, installing malware, or using the compromised server as a pivot point for lateral movement within the network.
Critical Impact
Unauthenticated remote code execution allowing complete system compromise of Confluence Server and Data Center instances. This vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog and has been actively exploited in the wild.
Affected Products
- Atlassian Confluence Server versions 1.3.0 to 7.4.17, 7.13.0 to 7.13.7, 7.14.0 to 7.14.3, 7.15.0 to 7.15.2, 7.16.0 to 7.16.4, 7.17.0 to 7.17.4, and 7.18.0
- Atlassian Confluence Data Center versions 1.3.0 to 7.4.17, 7.13.0 to 7.13.7, 7.14.0 to 7.14.3, 7.15.0 to 7.15.2, 7.16.0 to 7.16.4, 7.17.0 to 7.17.4, and 7.18.0
Discovery Timeline
- 2022-06-02 - Atlassian releases security advisory
- 2022-06-03 - CVE-2022-26134 published to NVD
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2022-26134
Vulnerability Analysis
CVE-2022-26134 is an OGNL injection vulnerability (CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement) that affects the Confluence Server and Data Center web application. OGNL is an expression language used in Java applications for getting and setting properties of Java objects. When user-controlled input is passed to an OGNL expression evaluator without proper sanitization, attackers can inject malicious expressions that execute arbitrary code on the server.
The vulnerability resides in how Confluence processes URL paths. Specifically, the application fails to properly sanitize the URI before processing, allowing attackers to embed OGNL expressions directly in the URL. When the server processes these malicious requests, it evaluates the embedded OGNL expressions with the privileges of the Confluence application, leading to arbitrary code execution.
This vulnerability is particularly severe because exploitation requires no authentication, no user interaction, and can be performed remotely over the network. The attack complexity is low, making this an easily exploitable vulnerability that poses significant risk to organizations running affected Confluence versions.
Root Cause
The root cause of CVE-2022-26134 lies in improper input validation within Confluence's URL processing pipeline. The application uses the Apache Struts2 framework's OGNL expression evaluator, which processes user-supplied input from the URL path without adequate sanitization. This allows attackers to craft URLs containing malicious OGNL expressions that bypass security controls and are executed by the server.
The vulnerability exists because the namespace and action name derived from the URL are evaluated as OGNL expressions. When attackers craft specially formatted URLs containing OGNL syntax, the expressions are evaluated in a context that allows access to the underlying Java runtime, enabling arbitrary command execution.
Attack Vector
The attack vector for CVE-2022-26134 is network-based and requires no authentication. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable Confluence instance. The malicious OGNL expression is embedded within the URL path of the HTTP request.
The exploitation technique involves placing OGNL expressions within specific characters (typically ${...} or %{...} syntax) in the URL path. When Confluence processes the request, the embedded expressions are evaluated, allowing attackers to execute arbitrary system commands, read sensitive files, establish reverse shells, or perform other malicious actions with the privileges of the Confluence server process.
Multiple proof-of-concept exploits have been publicly released, including those documented on Packet Storm Security. These exploits demonstrate various techniques for leveraging this vulnerability to achieve remote code execution.
Detection Methods for CVE-2022-26134
Indicators of Compromise
- Unusual HTTP requests containing OGNL expression syntax such as ${, %{, @, or Runtime.getRuntime() in URL paths
- Web server logs showing requests to unusual or malformed URLs with encoded characters targeting Confluence endpoints
- Unexpected child processes spawned by the Confluence Java process (e.g., /bin/sh, cmd.exe, powershell.exe)
- New or modified files in Confluence directories, especially web shells or unfamiliar executable scripts
- Outbound network connections from the Confluence server to unexpected external IP addresses
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block requests containing OGNL injection patterns in URLs
- Implement intrusion detection system (IDS) signatures for CVE-2022-26134 exploitation attempts
- Monitor process creation events on Confluence servers for suspicious child processes spawned by the Java runtime
- Review and analyze web server access logs for unusual URL patterns containing special characters or encoded OGNL syntax
Monitoring Recommendations
- Enable detailed access logging on Confluence servers and forward logs to a SIEM platform for analysis
- Implement endpoint detection and response (EDR) monitoring on all Confluence servers to detect post-exploitation activity
- Configure alerts for any new network connections initiated by the Confluence server process to external destinations
- Establish baseline behavior for Confluence processes and alert on deviations such as unusual command execution or file access patterns
How to Mitigate CVE-2022-26134
Immediate Actions Required
- Immediately upgrade Confluence Server and Data Center to a patched version: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, or 7.18.1 and later
- If immediate patching is not possible, restrict access to Confluence instances from untrusted networks using firewall rules
- Conduct a thorough security assessment of potentially affected systems to identify signs of compromise
- Review web server logs for any evidence of exploitation attempts that may have occurred before patching
Patch Information
Atlassian has released patches addressing CVE-2022-26134 in multiple version branches. Organizations should upgrade to the latest patched version available for their deployment:
- Version 7.4.x: Upgrade to 7.4.17 or later
- Version 7.13.x: Upgrade to 7.13.7 or later
- Version 7.14.x: Upgrade to 7.14.3 or later
- Version 7.15.x: Upgrade to 7.15.2 or later
- Version 7.16.x: Upgrade to 7.16.4 or later
- Version 7.17.x: Upgrade to 7.17.4 or later
- Version 7.18.x: Upgrade to 7.18.1 or later
For detailed patch information, refer to the Atlassian Confluence Security Advisory and the Atlassian JIRA Issue CONFSERVER-79016.
Workarounds
- If patching is not immediately possible, Atlassian recommends restricting external network access to Confluence instances
- Implement network segmentation to limit access to Confluence servers from trusted internal networks only
- Deploy a web application firewall (WAF) with rules specifically designed to block OGNL injection patterns
- Consider temporarily taking vulnerable Confluence instances offline if they cannot be patched or protected through other means
# Example: Block external access to Confluence using iptables
# Allow only trusted internal network (example: 10.0.0.0/8)
iptables -A INPUT -p tcp --dport 8090 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8090 -j DROP
# Alternative: Block access at reverse proxy level (nginx example)
# Add to nginx configuration to block suspicious OGNL patterns
location / {
if ($request_uri ~* "\$\{|\%\{|@java") {
return 403;
}
proxy_pass http://confluence_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
