Download our Latest Industry Report – Continuous Offensive Security Outlook 2026

Download Report
Back to Vulnerability List

Atlassian: Atlassian Confluence Data Center & Server: Broken Access Control (Praetorian analysis blog)

CVE-2023-22515 Critical Published
CVSS
9.8 Critical · Network · No PR
EPSS
0.94326 94.3% chance of exploit in 30d
CWE
CWE-284 Improper Access Control
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Per NVD: “Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability.” Per Atlassian Jira CONFSERVER-92475: “Vulnerability Source: Customer Report. Credit: an Atlassian customer.” Per Praetorian’s blog: “Recently, Rapid7 disclosed a vulnerability within Confluence that allowed a remote unauthenticated attacker to create a new administrative user account by bypassing the XWork SafeParameterFilter functionality.”

Affected Packages / Versions

  • Package: atlassian-confluence (Data Center / Server)
  • Latest published version at triage time: Atlassian's affected list ends at 8.5.1
  • Affected range: Per Atlassian FAQ for CVE-2023-22515 and CONFSERVER-92475: Confluence Data Center and Server 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.5.0, 8.5.1. "Versions prior to 8.0 are not affected."
  • Patched version: Per Atlassian FAQ: Confluence Data Center & Server 8.3.3, 8.4.3, or 8.5.2 (or any later version)

Impact

Per Atlassian FAQ: “Publicly accessible Confluence Data Center and Server versions as listed below are at critical risk and require immediate attention.” The FAQ also notes: “If an instance has already been compromised, upgrading will not remove the compromise.” Listed in CISA’s Known Exploited Vulnerabilities Catalog.

Severity Rationale

Per Atlassian Jira CONFSERVER-92475: CVSS Score 10 (Critical), vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. NVD scores 9.8 (vector S:U). Vendor uses scope-changing; NVD does not.

Fix

Per Atlassian FAQ: “Atlassian recommends that you upgrade each of your affected installations to one of the listed fixed versions (or any later version) below.” Fixed versions: 8.3.3, 8.4.3, 8.5.2 (or later).

Disclosure timeline

  • TBDReported to Atlassian ("customer report" per Atlassian Jira)
  • Oct 4, 2023Patch released (Atlassian advisory; date matches NVD published)
  • Oct 4, 2023Public disclosure

Fix Commit(s)

    References

    Discovered by Per Atlassian Jira CONFSERVER-92475: "Vulnerability Source: Customer Report. Credit: an Atlassian customer." Rapid7 published initial public analysis. Praetorian: published a follow-up analysis blog and confirmed Atlassian Bamboo was not vulnerable. · Published April 29, 2026