CVE-2022-26134 Explained: Confluence Server Critical OGNL Zero-Day

CVE-2022-26134 is an OGNL (Object-Graph Navigation Language) injection vulnerability in Atlassian Confluence's HTTP request handling. The vulnerability allows an attacker to inject OGNL expressions directly into HTTP request URI paths that are processed by Confluence's WebWork action framework.

Unlike some template injection vulnerabilities that require a specific content type or parameter, CVE-2022-26134 exploits the URL path itself. A crafted HTTP GET or POST request with a malicious OGNL expression in the path triggers evaluation of that expression by the Confluence server before routing or authentication checks occur in certain code paths.

The OGNL expression executes in the context of the Confluence server process, with access to the Java runtime environment, system properties, and the ability to call arbitrary Java methods — including those that spawn operating system processes. The result is unauthenticated, pre-routing code execution on the Confluence server.

All supported versions of Confluence Server and Data Center before the patch releases are affected. This includes versions 1.3.0 through the patched versions — effectively every production Confluence Server and Data Center instance worldwide at the time of disclosure. Confluence Cloud instances hosted by Atlassian were not affected.

The timeline of CVE-2022-26134 is particularly notable because exploitation was confirmed before the advisory was published. Volexity discovered the vulnerability during a Memorial Day weekend incident response engagement for a customer whose Confluence server had been compromised.

The initial exploitation they observed deployed an in-memory web shell — an implant that existed only in the Confluence server's Java process memory, leaving no files on disk — making it particularly difficult to detect and attribute. The attacker appeared to have operational security practices consistent with sophisticated threat actors.

Between Atlassian's advisory on June 2 and patch availability on June 3-6, Atlassian's official guidance was to take Confluence offline entirely. Organizations that followed this guidance were protected. Those that kept vulnerable instances running faced immediate exploitation — within hours of the advisory, mass scanning activity was detected at internet scale.

Post-patch exploitation included cryptomining campaigns deploying XMRig, multiple ransomware affiliate probing campaigns building target lists, and nation-state actors attributed to Chinese cyber operations who appeared to have had prior knowledge of the vulnerability based on the sophistication of pre-advisory exploitation artifacts.

Patches were released between June 3 and June 6, 2022 depending on the Confluence version. For all unpatched systems, the priority is immediate patching or taking Confluence offline.

CVE-2022-26134 is the second critical OGNL injection zero-day in Confluence in less than a year — following CVE-2021-26084 in August 2021. The same product, the same vulnerability class, both scores of 9.8 or 10.0, both exploited within hours of public knowledge. This pattern should inform how organizations treat Confluence patching going forward.

Confluence is not a low-risk internal wiki. It is a high-value target because of what it contains: credentials, architecture documentation, process runbooks, and connectivity to code repositories. Nation-state actors treat it as an intelligence collection target. Ransomware operators treat it as an initial access vector. Both groups have demonstrated they will zero-day it when the opportunity exists.

The answer is not to avoid Confluence — it is to treat it as a critical-risk application requiring the same patching urgency, network segmentation, and access control rigor as production systems.