Critical Remote Code Execution Vulnerability CVE-2022-26134 in Atlassian Confluence – Description, Impact, and Mitigation Steps

Atlassian recently issued a security advisory for a critical remote code execution vulnerability (CVE-2022-26134) in Confluence, which can be exploited without any authentication by injecting malicious OGNL expressions to execute arbitrary commands on the server.

The flaw is low‑complexity, widely applicable, and has already been publicly disclosed, making further exploitation likely; affected versions include Confluence Server and Data Center releases prior to 7.4.17, 7.5.0‑<7.13.7, 7.14.0‑<7.14.3, 7.15.0‑<7.15.2, 7.16.0‑<7.16.4, 7.17.0‑<7.17.4, and 7.18.0‑<7.18.1.

Official remediation: Atlassian recommends upgrading to the latest safe releases (7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1) and provides the download link https://www.atlassian.com/software/confluence/download-archives .

Temporary mitigation for Confluence 7.15.0‑7.18.0 (clustered deployments): a) Stop Confluence; b) Download https://packages.atlassian.com/maven-internal/opensymphony/xwork/1.0.3-atlassian-10.jar ; c) Remove or relocate the old <confluence‑install>/confluence/WEB‑INF/lib/xwork-1.0.3-atlassian-8.jar ; d) Copy the new JAR to <confluence‑install>/confluence/WEB‑INF/lib/ ; e) Ensure file permissions match other files; f) Restart Confluence.

Temporary mitigation for Confluence 7.0.0‑7.14.2 (clustered deployments): a) Stop Confluence; b) Download three files: https://packages.atlassian.com/maven-internal/opensymphony/xwork/1.0.3-atlassian-10.jar , https://packages.atlassian.com/maven-internal/opensymphony/webwork/2.1.5-atlassian-4/webwork-2.1.5-atlassian-4.jar , and https://confluence.atlassian.com/doc/files/1130377146/1137639562/3/1654274890463/CachedConfigurationProvider.class ; c) Delete or move the old <confluence‑install>/confluence/WEB‑INF/lib/xwork-1.0.3.6.jar and <confluence‑install>/confluence/WEB‑INF/lib/webwork-2.1.5-atlassian-3.jar ; d) Copy the new JARs to <confluence‑install>/confluence/WEB‑INF/lib/ ; e) Copy CachedConfigurationProvider.class to a newly created <confluence‑install>/confluence/WEB‑INF/classes/com/atlassian/confluence/setup/webwork directory; f) Align file permissions; g) Restart Confluence.

The Xmirror Cloud Shark RASP platform provides adaptive threat‑immune protection that is naturally immune to CVE‑2022‑26134 without requiring rule updates, leveraging runtime context‑aware AI detection, vulnerability‑immune algorithms, and deep traffic learning.

About Xmirror Security: founded in 2014 by the Peking University network security research team, Xmirror delivers a third‑generation DevSecOps solution integrating threat modeling, open‑source governance, risk discovery, and continuous detection‑response across cloud‑native, software‑supply‑chain, and application security domains.