Threat Advisory

Critical Atlassian Confluence Vulnerability Under Active Exploitation

August 1, 2022 | By Accorian

Last week, Atlassian released a patch for a critical flaw in its Question for Confluence app for Confluence Server and Confluence Data Center. The vulnerability was tracked as CVE-2022-26138 and was considered a critical severity. The issue existed because the Questions for Confluence application creates a user account with a hardcoded password when the username disabledsystemuser is used. The disabledsystemuser account is then by default added to the confluence-users group, which allows viewing and editing of all non-restricted pages. 

A few days after the fix was rolled out, the hardcoded password was leaked on social media, igniting this vulnerability’s active exploitation. The vulnerability only exists when the Questions for Confluence app is enabled on the affected versions. These are Questions for Confluence 2.7.x, 2.7.34, 2.7.35, Questions for Confluence, 3.0.x, 3.0.2. 

Accorian urges all its customers to update their on-premises instances to the latest versions (2.7.38 and 3.0.5) as soon as possible or take steps to disable/delete the disabledsystemuser account. Uninstalling the Questions for Confluence app does not remediate the flaw, as the created account does not get automatically removed after the app has been uninstalled. Atlassian’s advisory also includes information on how to look for evidence of exploitation. 

Accorian can help identify this vulnerability in your environment.  


Threat Advisory Team 


Recent Post

Ready to Start?

Ready to Start?​

Drop your CVs to

Interested Position

Download Case study

Download SOC2 Guide