Privacy Ninja

Atlassian: Confluence Hardcoded Password was Leaked, Patch Now!

Atlassian: Confluence Hardcoded Password was Leaked, Patch Now!

One day after releasing security updates to address the vulnerability (tracked as CVE-2022-26138), Atlassian warned admins to patch their servers as soon as possible, given that the hardcoded password had been found and shared online.

“An external party has discovered and publicly disclosed the hardcoded password on Twitter. It is important to remediate this vulnerability on affected systems immediately.” the company warned Thursday.

“This issue is likely to be exploited in the wild now that the hardcoded password is publicly known.”

Also Read: The 11 obligations under PDPA and data protection

The warning is both timely and necessary because threat actors equipped with this knowledge could use it to log into vulnerable Confluence servers and access pages the confluence-users group has access to.

Also, this is no surprise as Atlassian had already alerted users that the password was” trivial to obtain after downloading and reviewing affected versions of the app.”

Patching and checking for evidence of exploitation

To defend against potential attacks, Atlassian recommends updating to a patched version of Questions for Confluence or disabling/deleting the disabledsystemuser account.

Updating the Questions for Confluence app to a fixed version (versions 2.7.x >= 2.7.38 or versions greater than 3.0.5) will remove the problematic user account if present.

Also Read: Knowing the basics of cybersecurity

If you want to determine if a server is affected by this hardcoded credentials security flaw, you have to check for an active user account with the following info:

To look for evidence of exploitation, you can check the last authentication time for disabledsystemuser using the following instructions. If the result is null, the account exists on the system, but no one has yet signed in using it.

It’s also important to mention that uninstalling the Questions for Confluence app on affected servers will not remove the attack vector (i.e., the hardcoded credentials) and the unpatched systems will remain exposed to attacks.

Confluence servers are attractive targets for threat actors, as shown by previous attacks with Linux botnet malwareAvosLocker and Cerber2021 ransomware, and crypto miners.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us