CVE-2022-26138

ENISA EUVD: EUVD-2022-30705 ↗

Exploited in the Wild ✓ Confirmed 0-Day

Triaged: March 20, 2026 5 articles Published: 2022-07-20

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

94.32%

probability

This CVE has a 94.32% probability of being exploited in the next 30 days.

0% Top 100.0th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

9.8

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

Affected Products

Atlassian

Questions For Confluence

2.7.34 2.7.35 3.0.2

atlassian

questions for confluence

Atlassian

Questions For Confluence

2.7.34

Atlassian

Questions For Confluence

2.7.35

Atlassian

Questions For Confluence

3.0.2

Attack Intelligence

CWE-1390 · Weak Authentication CWE-1391 · Use of Weak Credentials CWE-284 · Improper Access Control CWE-287 · Improper Authentication CWE-330 · Use of Insufficiently Random Values CWE-344 · Use of Invariant Value in Dynamically Changing Context CWE-657 · Violation of Secure Design Principles CWE-671 · Lack of Administrator Control over Security CWE-693 · Protection Mechanism Failure CWE-710 · Improper Adherence to Coding Standards CWE-798 · Use of Hard-coded Credentials

Exploits & PoC

alcaparra/CVE-2022-26138

Atlassian Questions Hardcoded Password (CVE-2022-26138)

31 2022-07-26

z92g/CVE-2022-26138

Confluence Hardcoded Password POC

15 2022-07-30

Vulnmachines/Confluence-Question-CVE-2022-26138-

Atlassian Confluence Server and Data Center: CVE-2022-26138

3 2022-07-28

shavchen/CVE-2022-26138

0 2022-07-22

4 repos — triés par ⭐ Rechercher sur GitHub ↗

https://jira.atlassian.com/browse/CONFSERVER-79483

x_refsource_MISC

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html

x_refsource_MISC

Signal Intelligence

Confidenceⓘ

92%

EPSS 94.32%

CVSS v3.1 9.8

Mentions 5

Last Seen Oct 04, 2023

CNA Information

CNA Assigner

atlassian

Analyst Note

CVE-2022-26138 is explicitly named as a zero-day in BleepingComputer's headline ('Atlassian patches critical Confluence zero-day exploited in attacks') and TheHackerNews reports active exploitation occurring within a week after Atlassian's patch release. CISA's addition to the Known Exploited Vulnerabilities Catalog provides independent confirmation of active wild exploitation.

Threat Actors 5

Turla Group

apt_group Information theft and espionage Russian Federation

APT 29

apt_group Information theft and espionage 🇷🇺 RU

APT32

apt_group Information theft and espionage 🇻🇳 VN

SaintBear

apt_group Information theft and espionage 🇷🇺 RU

DEV-0586

apt_group Sabotage and destruction 🇷🇺 RU

Triage Info

Decided atMar 20, 2026

Published DateJul 20, 2022