CVE-2022-26138

CRITICAL KEV RANSOMWARE NUCLEI

Atlassian Questions For Confluence - Hardcoded Credentials

Title source: nuclei

Exploitation Summary

CVE-2022-26138 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 29, 2022, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including alcaparra, z92g, Vulnmachines. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC demonstrates an authentication bypass vulnerability in Atlassian Questions For Confluence due to hardcoded credentials. The exploit involves using predefined credentials to log in as a user with access to the confluence-users group.

Description

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

Exploits (4)

nomisec WORKING POC 31 stars

by alcaparra · remote

https://github.com/alcaparra/CVE-2022-26138

View Code ZIP pw:eip

This PoC demonstrates an authentication bypass vulnerability in Atlassian Questions For Confluence due to hardcoded credentials. The exploit involves using predefined credentials to log in as a user with access to the confluence-users group.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Atlassian Questions For Confluence (versions 2.7.34, 2.7.35, 3.0.2)

No auth needed

Prerequisites: Knowledge of the hardcoded credentials · Network access to the target Confluence instance

MITRE ATT&CK

T1110.001 - Password Guessing

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 15 stars

by z92g · remote

https://github.com/z92g/CVE-2022-26138

View Code ZIP pw:eip

This repository contains a Go-based scanner for CVE-2022-26138, which checks for the presence of a hardcoded password vulnerability in Confluence. It supports both single and batch scanning modes and logs vulnerable hosts.

Classification

Scanner 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Atlassian Confluence

No auth needed

Prerequisites: Network access to the target Confluence instance

MITRE ATT&CK

T1110.001 - Password Guessing

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP 3 stars

by Vulnmachines · poc

https://github.com/Vulnmachines/Confluence-Question-CVE-2022-26138-

View Code ZIP pw:eip

This repository documents CVE-2022-26138, a hardcoded credential vulnerability in the 'Questions for Confluence' app. The app creates a user account with a fixed username and password, allowing unauthorized access to Confluence content.

Classification

Writeup 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Atlassian Confluence Server and Data Center with 'Questions for Confluence' app versions 2.7.34, 2.7.35, and 3.0.2

No auth needed

Prerequisites: 'Questions for Confluence' app installed and enabled

MITRE ATT&CK

T1110.001 - Password Guessing T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER

by shavchen · poc

https://github.com/shavchen/CVE-2022-26138

View Code ZIP pw:eip

This PoC checks for CVE-2022-26138, an authentication bypass vulnerability in Atlassian Confluence. It sends a crafted login request and checks for a 302 redirect to determine vulnerability.

Classification

Scanner 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Atlassian Confluence (versions affected by CVE-2022-26138)

No auth needed

Prerequisites: Network access to the target Confluence instance

MITRE ATT&CK

T1110.001 - Password Guessing

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Atlassian Questions For Confluence - Hardcoded Credentials

CRITICALby HTTPVoid

Shodan: http.component:"Atlassian Confluence" || http.component:"atlassian confluence"

References (3)

Core 3

Core References

Issue Tracking, Patch, Vendor Advisory x_refsource_misc

https://jira.atlassian.com/browse/CONFSERVER-79483

Vendor Advisory x_refsource_misc

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26138

Scores

CVSS v3 9.8

EPSS 0.9432

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-07-29

VulnCheck KEV 2022-07-29

InTheWild.io 2022-07-24

ENISA EUVD EUVD-2022-30705

Ransomware Use Confirmed

CWE

CWE-798

Status published

Products (3)

atlassian/questions_for_confluence 2.7.34

atlassian/questions_for_confluence 2.7.35

atlassian/questions_for_confluence 3.0.2

Published Jul 20, 2022

KEV Added Jul 29, 2022

Tracked Since Feb 18, 2026