CVE-2022-26138
Published: 20 July 2022
Summary
CVE-2022-26138 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Atlassian Questions For Confluence. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Deeper analysis
The vulnerability CVE-2022-26138 is a use of hard-coded credentials (CWE-798) in the Atlassian Questions For Confluence app for Confluence Server and Data Center. The affected versions 2.7.34, 2.7.35, and 3.0.2 create a persistent local account named disabledsystemuser that is added to the confluence-users group and protected by a hardcoded password.
A remote unauthenticated attacker who knows the password can log directly into Confluence and read or modify any content accessible to members of the confluence-users group. The flaw carries a CVSS 3.1 score of 9.8, reflecting network-exploitable impact with no required privileges or user interaction.
Atlassian’s security advisory and the linked CONFSERVER-79483 entry describe the issue and direct administrators to upgrade or remove the affected app versions. The CVE is also catalogued by CISA among actively exploited vulnerabilities.
The associated EPSS score currently stands at 0.9432 after reaching a peak of 0.9745, confirming sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-30705
Vulnerability details
The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could…
more
exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.
- CWE(s)
- KEV Date Added
- 29 July 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prohibits embedding or using hardcoded passwords for any account, eliminating the disabledsystemuser credential created by the vulnerable app versions.
Requires explicit authorization and management of all accounts, preventing the app from silently creating the confluence-users group member with a static password.
Enforces that access decisions are based on validated, non-bypassable credentials, blocking unauthenticated use of the backdoor account once the hardcoded password is known.