Security Experts:

Connect with us

Hi, what are you looking for?



Atlassian Expects Confluence App Exploitation After Hardcoded Password Leak

Atlassian has warned customers that a vulnerability in Questions for Confluence will likely be used in attacks after someone made public a piece of information needed to exploit a recently addressed vulnerability.

Atlassian has warned customers that a vulnerability in Questions for Confluence will likely be used in attacks after someone made public a piece of information needed to exploit a recently addressed vulnerability.

A knowledge sharing application, Questions for Confluence helps Confluence users quickly access information or share it with others, as well as to connect with experts when needed. The application is a paid, optional add-on and is not installed by default on Confluence.

Last week, Atlassian announced patches for a critical vulnerability in the application that impacts the Confluence Server and Data Center products.

Tracked as CVE-2022-26138, the security issue exists because, when enabled on the impacted products, Questions for Confluence creates a user account with the username disabledsystemuser and a hardcoded password.

Because the user account is added to the confluence-users group, it has access to non-restricted pages within Confluence.

Late last week, Atlassian updated its advisory to warn that someone has made the hardcoded password public, and to provide additional information on how to resolve the bug and look for indicators of compromise.

“An external party has discovered and publicly disclosed the hardcoded password on Twitter. It is important to remediate this vulnerability on affected systems immediately,” Atlassian’s updated advisory reads.

“This issue is likely to be exploited in the wild now that the hardcoded password is publicly known. This vulnerability should be remediated on affected systems immediately,” the advisory continues.

According to Atlassian, Questions for Confluence currently has over 8,000 installations. Systems running Questions for Confluence 2.7.34, 2.7.35, or 3.0.2 are impacted, even if the application has been removed.

“Uninstalling the Questions for Confluence app does not remediate this vulnerability. The disabledsystemuser account does not automatically get removed after the app has been uninstalled,” Atlassian warns.

The vulnerability was resolved with the release of Questions for Confluence versions 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2) and 3.0.5 (compatible with Confluence 7.16.3 and later), which no longer contain the hardcoded password and also remove the disabledsystemuser account if it was previously created.

However, Atlassian warns that, if Confluence is configured to use a read-only external directory, users need to manually search for the disabledsystemuser user account and delete or disable it.

“We recommend updating the Questions for Confluence app which will remove this user from the system. If this isn’t possible for any reason, you should disable or delete the user,” Atlassian notes in an FAQ for CVE-2022-26138.

Related: Atlassian Patches Servlet Filter Vulnerabilities Impacting Multiple Products

Related: Cisco Patches Severe Vulnerabilities in Nexus Dashboard

Related: Oracle Releases 349 New Security Patches With July 2022 CPU

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.