CVE-2022-26138

What is Atlassian Confluence?

Atlassian Confluence is a widely-used enterprise wiki and collaboration platform where organizations store internal documentation, project plans, technical runbooks, HR policies, and sensitive business information. Confluence is often the de facto knowledge repository for organizations — a compromise grants access to a treasure trove of internal information that can facilitate further attacks, supply chain compromise, or direct data theft.

Overview

CVE-2022-26138 is a hard-coded credentials vulnerability (CWE-798) in the "Questions for Confluence" app (a Confluence plugin by Atlassian). When the app is installed, it creates a Confluence user account named disabledsystemuser with a hard-coded, publicly known password. This account is placed in the confluence-users group, granting it read access to all content accessible to standard Confluence users. CVSS 9.8. The credentials were immediately published on public sites after Atlassian's advisory, triggering mass exploitation within days. CISA added this to the KEV catalog just 9 days after the advisory.

Affected Versions

Note: The disabledsystemuser account persists even after the plugin is uninstalled. Organizations must manually delete the account after patching or removing the plugin.

Technical Details

The "Questions for Confluence" app creates a Confluence system account during installation to support certain app functions. This account was created with:

• Username: disabledsystemuser
• Password: disabled1system1account6820 (hard-coded, identical across all installations)
• Group membership: confluence-users (standard user access to all non-admin content)

Because the password is identical on every installation, once the credentials were published (the day after the advisory), any attacker could authenticate to any Confluence instance with the plugin installed or previously installed.

The account has access to:

• All Confluence pages accessible to standard users (internal documentation, credentials, keys, procedures)
• Confluence's API for programmatic content extraction
• Potentially sensitive attachments, embedded credentials in wiki pages, and internal process documentation

Discovery

Atlassian identified this vulnerability internally. The hard-coded password was included in a support database and discovered during a security audit.

Exploitation Context

Confluence is one of the most targeted enterprise platforms due to the sensitive information it contains. Within 24 hours of the advisory, security researchers posted the credentials publicly, and mass exploitation scans were reported by multiple threat intelligence firms. Attackers targeted Confluence instances to:

• Exfiltrate internal documentation containing plaintext credentials, API keys, and infrastructure details
• Harvest information for phishing and social engineering attacks
• Use Confluence as a pivot point for broader network reconnaissance
• Extract development credentials stored in engineering runbooks

The speed of exploitation (credentials public within 24 hours, KEV addition within 9 days) reflects the immediacy of the threat.

Remediation

1. Update "Questions for Confluence" to version 2.7.38 or 3.0.5 to prevent re-creation of the vulnerable account.
2. Manually delete disabledsystemuser: This is critical — the account persists after uninstalling the plugin. Navigate to Confluence Administration > User Management and delete the disabledsystemuser account.
3. Check if uninstall was sufficient: Even if you uninstalled the app, confirm the disabledsystemuser account does not exist in your user directory.
4. Audit Confluence access logs: Review login events for disabledsystemuser access. Any successful login may indicate unauthorized data exfiltration.
5. Inventory sensitive content: Identify Confluence pages containing credentials, API keys, or other sensitive data that may have been accessed and rotate them.
6. Enable Confluence audit logging: If not already enabled, turn on detailed audit logging for future incident detection.