CVE-2022-26138 - Vulnerability Details - OpenCVE

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is in the KEV database since July 29, 2022.

The EPSS score is 0.94258.

Exploitation active

Automatable yes

Technical Impact total

Vendors	Products
Atlassian	Confluence Data Center Confluence Server Questions For Confluence

Configuration 1 [-]

AND

OR	cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:::::::*
	cpe:2.3:a:atlassian:questions_for_confluence:2.7.35:::::::*
	cpe:2.3:a:atlassian:questions_for_confluence:3.0.2:::::::*

OR	cpe:2.3:a:atlassian:confluence_data_center:-:::::::*
	cpe:2.3:a:atlassian:confluence_server:-:::::::*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html
https://jira.atlassian.com/browse/CONFSERVER-79483

History

Fri, 11 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.94258}`	epss `{'score': 0.94203}`

Tue, 28 Jan 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2022-07-29'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: atlassian

Published: 2022-07-20T17:25:26.913Z

Updated: 2025-07-30T01:37:40.314Z

Reserved: 2022-02-25T00:00:00.000Z

Link: CVE-2022-26138

Vulnrichment

Updated: 2024-08-03T04:56:37.662Z

NVD

Status : Analyzed

Published: 2022-07-20T18:15:08.617

Modified: 2025-02-19T19:48:00.467

Link: CVE-2022-26138

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Questions For Confluence", "vendor": "Atlassian", "versions": [{"status": "affected", "version": "2.7.34"}, {"status": "affected", "version": "2.7.35"}, {"status": "affected", "version": "3.0.2"}]}], "datePublic": "2022-07-20T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "Use of Hard-coded Credentials (CWE-798)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-20T17:25:26.000Z", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jira.atlassian.com/browse/CONFSERVER-79483"}, {"tags": ["x_refsource_MISC"], "url": "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2022-07-20T00:00:00", "ID": "CVE-2022-26138", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Questions For Confluence", "version": {"version_data": [{"version_affected": "=", "version_value": "2.7.34"}, {"version_affected": "=", "version_value": "2.7.35"}, {"version_affected": "=", "version_value": "3.0.2"}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Use of Hard-coded Credentials (CWE-798)"}]}]}, "references": {"reference_data": [{"name": "https://jira.atlassian.com/browse/CONFSERVER-79483", "refsource": "MISC", "url": "https://jira.atlassian.com/browse/CONFSERVER-79483"}, {"name": "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html", "refsource": "MISC", "url": "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:56:37.662Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.atlassian.com/browse/CONFSERVER-79483"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-26138", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-28T21:47:41.648320Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2022-07-29", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26138"}}}], "timeline": [{"time": "2022-07-29T00:00:00+00:00", "lang": "en", "value": "CVE-2022-26138 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-30T01:37:40.314Z"}}]}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2022-26138", "datePublished": "2022-07-20T17:25:26.913Z", "dateReserved": "2022-02-25T00:00:00.000Z", "dateUpdated": "2025-07-30T01:37:40.314Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"containers": {"cna": {"affected": [{"product": "Questions For Confluence", "vendor": "Atlassian", "versions": [{"status": "affected", "version": "2.7.34"}, {"status": "affected", "version": "2.7.35"}, {"status": "affected", "version": "3.0.2"}]}], "datePublic": "2022-07-20T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "Use of Hard-coded Credentials (CWE-798)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-20T17:25:26.000Z", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jira.atlassian.com/browse/CONFSERVER-79483"}, {"tags": ["x_refsource_MISC"], "url": "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2022-07-20T00:00:00", "ID": "CVE-2022-26138", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Questions For Confluence", "version": {"version_data": [{"version_affected": "=", "version_value": "2.7.34"}, {"version_affected": "=", "version_value": "2.7.35"}, {"version_affected": "=", "version_value": "3.0.2"}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Use of Hard-coded Credentials (CWE-798)"}]}]}, "references": {"reference_data": [{"name": "https://jira.atlassian.com/browse/CONFSERVER-79483", "refsource": "MISC", "url": "https://jira.atlassian.com/browse/CONFSERVER-79483"}, {"name": "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html", "refsource": "MISC", "url": "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:56:37.662Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.atlassian.com/browse/CONFSERVER-79483"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-26138", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-28T21:47:41.648320Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2022-07-29", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26138"}}}], "timeline": [{"time": "2022-07-29T00:00:00+00:00", "lang": "en", "value": "CVE-2022-26138 added to CISA KEV"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-28T21:47:58.160Z"}}]}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2022-26138", "datePublished": "2022-07-20T17:25:26.913Z", "dateReserved": "2022-02-25T00:00:00.000Z", "dateUpdated": "2025-07-30T01:37:40.314Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"cisaActionDue": "2022-08-19", "cisaExploitAdd": "2022-07-29", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:questions_for_confluence:2.7.34:*:*:*:*:*:*:*", "matchCriteriaId": "A0CE5D29-4DCB-48E5-9F1E-E603E5F6C27E", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:questions_for_confluence:2.7.35:*:*:*:*:*:*:*", "matchCriteriaId": "60DEB66E-75A9-4C34-9E06-037BE1B263EF", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:questions_for_confluence:3.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "8AD33916-41E6-45BB-A6CC-9ECD4F11A529", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:confluence_data_center:-:*:*:*:*:*:*:*", "matchCriteriaId": "E5AB7C4D-ED56-4AB5-BD03-CA807D11C46E", "vulnerable": false}, {"criteria": "cpe:2.3:a:atlassian:confluence_server:-:*:*:*:*:*:*:*", "matchCriteriaId": "A9157ABD-3C98-4742-AE63-EAD7504CDB22", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app."}, {"lang": "es", "value": "La aplicaci\u00f3n Atlassian Questions For Confluence para Confluence Server y Data Center crea una cuenta de usuario de Confluence en el grupo confluence-users con el nombre de usuario disabledsystemuser y una contrase\u00f1a embebida. Un atacante remoto no autenticado que conozca la contrase\u00f1a embebida podr\u00eda explotar esta situaci\u00f3n para iniciar sesi\u00f3n en Confluence y acceder a todo el contenido accesible para usuarios del grupo confluence-users. Esta cuenta de usuario es creada cuando son instaladas las versiones 2.7.34, 2.7.35 y 3.0.2 de la aplicaci\u00f3n"}], "id": "CVE-2022-26138", "lastModified": "2025-02-19T19:48:00.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-20T18:15:08.617", "references": [{"source": "security@atlassian.com", "tags": ["Vendor Advisory"], "url": "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html"}, {"source": "security@atlassian.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://jira.atlassian.com/browse/CONFSERVER-79483"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://jira.atlassian.com/browse/CONFSERVER-79483"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "security@atlassian.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}