Cyber Resilience

CVE-2022-26138

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 20 July 2022

Published
20 July 2022
Modified
14 January 2026
KEV Added
29 July 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9432 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26138 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Atlassian Questions For Confluence. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

The vulnerability CVE-2022-26138 is a use of hard-coded credentials (CWE-798) in the Atlassian Questions For Confluence app for Confluence Server and Data Center. The affected versions 2.7.34, 2.7.35, and 3.0.2 create a persistent local account named disabledsystemuser that is added to the confluence-users group and protected by a hardcoded password.

A remote unauthenticated attacker who knows the password can log directly into Confluence and read or modify any content accessible to members of the confluence-users group. The flaw carries a CVSS 3.1 score of 9.8, reflecting network-exploitable impact with no required privileges or user interaction.

Atlassian’s security advisory and the linked CONFSERVER-79483 entry describe the issue and direct administrators to upgrade or remove the affected app versions. The CVE is also catalogued by CISA among actively exploited vulnerabilities.

The associated EPSS score currently stands at 0.9432 after reaching a peak of 0.9745, confirming sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could…

more

exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

CWE(s)
KEV Date Added
29 July 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

atlassian
questions for confluence
2.7.34, 2.7.35, 3.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prohibits embedding or using hardcoded passwords for any account, eliminating the disabledsystemuser credential created by the vulnerable app versions.

prevent

Requires explicit authorization and management of all accounts, preventing the app from silently creating the confluence-users group member with a static password.

prevent

Enforces that access decisions are based on validated, non-bypassable credentials, blocking unauthenticated use of the backdoor account once the hardcoded password is known.

References