CVE-2022-26133

CRITICAL

Atlassian Bitbucket Data Center <7.17.6 - Code Injection

Title source: llm

Description

SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.

Exploits (5)

nomisec WORKING POC 148 stars

by Pear1y · poc

https://github.com/Pear1y/CVE-2022-26133

View Code ZIP pw:eip

nomisec WORKING POC 3 stars

by ar2o3 · poc

https://github.com/ar2o3/CVE-2022-26133

View Code ZIP pw:eip

inthewild WORKING POC

poc

https://github.com/0xabbarhsf/cve-2022-26133

View Code ZIP pw:eip

inthewild WORKING POC

poc

https://github.com/0xstarford/cve-2022-26133

View Code ZIP pw:eip

inthewild

poc

https://github.com/trhackno/cve-2022-26133

View on inthewild

References (2)

[Patch, Vendor Advisory] https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html

[Vendor Advisory] https://jira.atlassian.com/browse/BSERV-13173

Scores

CVSS v3 9.8

EPSS 0.8139

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

atlassian/bitbucket_data_center < 7.6.14

atlassian/bitbucket_data_center

Timeline

Published Apr 20, 2022

Tracked Since Feb 18, 2026