CVE-2022-26138

CVE-2022-26138

Vendor Atlassian
Product Questions For Confluence
Weakness CWE-798 · Hardcoded credentials
KEV Status Known Exploited
Published July 20, 2022
Last update January 12, 2026

CVSS base score

What the vulnerability does

01Description

The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.

CISA mandated remediation

02CISA Required Action

Apply updates per vendor instructions.

Key dates

03Disclosure timeline

July 20, 2022 CVE published
January 12, 2026 Record updated