Security Experts:

Connect with us

Hi, what are you looking for?



Atlassian Expects Confluence App Exploitation After Hardcoded Password Leak

Atlassian has warned customers that a vulnerability in Questions for Confluence will likely be used in attacks after someone made public a piece of information needed to exploit a recently addressed vulnerability.

Atlassian has warned customers that a vulnerability in Questions for Confluence will likely be used in attacks after someone made public a piece of information needed to exploit a recently addressed vulnerability.

A knowledge sharing application, Questions for Confluence helps Confluence users quickly access information or share it with others, as well as to connect with experts when needed. The application is a paid, optional add-on and is not installed by default on Confluence.

Last week, Atlassian announced patches for a critical vulnerability in the application that impacts the Confluence Server and Data Center products.

Tracked as CVE-2022-26138, the security issue exists because, when enabled on the impacted products, Questions for Confluence creates a user account with the username disabledsystemuser and a hardcoded password.

Because the user account is added to the confluence-users group, it has access to non-restricted pages within Confluence.

Late last week, Atlassian updated its advisory to warn that someone has made the hardcoded password public, and to provide additional information on how to resolve the bug and look for indicators of compromise.

“An external party has discovered and publicly disclosed the hardcoded password on Twitter. It is important to remediate this vulnerability on affected systems immediately,” Atlassian’s updated advisory reads.

“This issue is likely to be exploited in the wild now that the hardcoded password is publicly known. This vulnerability should be remediated on affected systems immediately,” the advisory continues.

According to Atlassian, Questions for Confluence currently has over 8,000 installations. Systems running Questions for Confluence 2.7.34, 2.7.35, or 3.0.2 are impacted, even if the application has been removed.

“Uninstalling the Questions for Confluence app does not remediate this vulnerability. The disabledsystemuser account does not automatically get removed after the app has been uninstalled,” Atlassian warns.

The vulnerability was resolved with the release of Questions for Confluence versions 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2) and 3.0.5 (compatible with Confluence 7.16.3 and later), which no longer contain the hardcoded password and also remove the disabledsystemuser account if it was previously created.

However, Atlassian warns that, if Confluence is configured to use a read-only external directory, users need to manually search for the disabledsystemuser user account and delete or disable it.

“We recommend updating the Questions for Confluence app which will remove this user from the system. If this isn’t possible for any reason, you should disable or delete the user,” Atlassian notes in an FAQ for CVE-2022-26138.

Related: Atlassian Patches Servlet Filter Vulnerabilities Impacting Multiple Products

Related: Cisco Patches Severe Vulnerabilities in Nexus Dashboard

Related: Oracle Releases 349 New Security Patches With July 2022 CPU

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet