CVE-2022-26133

CRITICAL

Atlassian Bitbucket Data Center <7.17.6 - Code Injection

Title source: llm

Description

SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.

Exploits (5)

nomisec WORKING POC 148 stars

by Pear1y · poc

https://github.com/Pear1y/CVE-2022-26133

View Code ZIP pw:eip

nomisec WORKING POC 3 stars

by abbarhissarh · poc

https://github.com/abbarhissarh/CVE-2022-26133

View Code ZIP pw:eip

nomisec WORKING POC 3 stars

by ar2o3 · poc

https://github.com/ar2o3/CVE-2022-26133

View Code ZIP pw:eip

inthewild WORKING POC

poc

https://github.com/0xstarford/cve-2022-26133

View Code ZIP pw:eip

inthewild WORKING POC

poc

https://github.com/0xabbarhsf/cve-2022-26133

View Code ZIP pw:eip

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://jira.atlassian.com/browse/BSERV-13173

Patch, Vendor Advisory x_refsource_misc

https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html

Scores

CVSS v3 9.8

EPSS 0.8139

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (2)

atlassian/bitbucket_data_center 7.20.0

atlassian/bitbucket_data_center 5.14.0 - 7.6.14

Published Apr 20, 2022

Tracked Since Feb 18, 2026