Atlassian Confluence OGNL Injection Remote Code Execution (CVE-2022-26134)
Overview
Atlassian Confluence OGNL Injection Remote Code Execution, tracked as CVE-2022-26134, is a critical vulnerability affecting self-managed Confluence Server and Confluence Data Center deployments. Confluence is widely used for internal documentation, collaboration, runbooks, engineering notes, and operational knowledge bases, which makes exposed instances especially sensitive.
Vulnerability Overview
CVE-2022-26134 is an OGNL injection vulnerability. OGNL, or Object-Graph Navigation Language, is an expression language used in Java application stacks. In vulnerable Confluence Server and Data Center versions, attacker-controlled input can reach expression evaluation behavior in a way that allows arbitrary code execution.
The issue is particularly serious because exploitation does not require authentication. A remote attacker can target a vulnerable Confluence instance without having a valid user account, turning an externally reachable collaboration system into a direct remote code execution entry point.
Impact
CVE-2022-26134 has a CVSS 3.1 score of 9.8 and is rated Critical. The score reflects network reachability, low attack complexity, no required privileges, no user interaction, and high confidentiality, integrity, and availability impact.
Successful exploitation can lead to remote code execution with the privileges of the Confluence application. In real environments, this may allow an attacker to access sensitive internal documentation, modify application data, deploy malware, steal credentials, pivot into adjacent systems, or fully compromise the affected server.
The vulnerability was added to the CISA Known Exploited Vulnerabilities Catalog on June 2, 2022, which reflects confirmed exploitation in the wild.
Vulnerability Scope
CVE-2022-26134 affects Atlassian Confluence Server and Confluence Data Center across multiple self-managed release lines. The affected version ranges are 1.3.0 before 7.4.17, 7.13.0 before 7.13.7, 7.14.0 before 7.14.3, 7.15.0 before 7.15.2, 7.16.0 before 7.16.4, 7.17.0 before 7.17.4, and 7.18.0 before 7.18.1.
The highest-risk exposure is an internet-facing Confluence Server or Data Center instance running one of the affected versions. Internal-only deployments can also be high risk when attackers gain network access through VPN compromise, phishing, exposed management networks, or lateral movement from another system.
Lab Focus
This lab focuses on understanding how OGNL injection can become remote code execution in a Java web application context, why unauthenticated access makes the vulnerability severe, and how affected Confluence deployments should be assessed from an exposure and remediation perspective. The goal is to practice recognizing the vulnerability context and impact in a controlled Hackviser environment.