CVE-2022-26138

nvd nist nuclei

Published: Jul 20, 2022Modified: Jan 14, 2026CISA KEV

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

Affected (3)

Products: Atlassian: Questions For Confluence

1 product

Questions For Confluence

Configuration A

3 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Atlassian Questions For Confluence	Version 2.7.34
Atlassian Questions For Confluence	Version 2.7.35
Atlassian Questions For Confluence	Version 3.0.2

Running on/with	Platform Versions
Atlassian Confluence Data Center	All versions
Atlassian Confluence Server	All versions

Related CWEs

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

References (5)

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html

Source: security@atlassian.com

Vendor Advisory

https://jira.atlassian.com/browse/CONFSERVER-79483

Source: security@atlassian.com

Issue TrackingPatchVendor Advisory

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-07-20-1142446709.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://jira.atlassian.com/browse/CONFSERVER-79483

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchVendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-26138

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.