IsItPatchedInstant security status for any software version
← All products

CVE-2022-26138

CRITICAL severity · CVSS 9.8 · Hard-coded credentials · actively exploited (CISA KEV)
9.8CVSS CRITICAL ● exploited
🔴 Actively exploited in the wild (CISA Known Exploited Vulnerabilities). Added to KEV 2022-07-29. US federal agencies must patch by 2022-08-19.

Summary

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

Impact & exploitability

Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)94%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

Atlassian Confluence

Recommendation

This vulnerability is being actively exploited in the wild — patch affected products urgently. Open any affected product above for its exact safe version.

Official patch: https://jira.atlassian.com/browse/CONFSERVER-79483 ↗

Additional information

Last checked: Wed, 10 Jun 2026 22:18:30 UTC