CVE-2023-22515

Published Oct 4, 2023

Last updated 3 months ago

Exploit knownCVSS critical 9.8
web application
Server
HTTP

Overview

Description
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Source
security@atlassian.com
NVD status
Analyzed
Products
confluence_data_center, confluence_server

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

CVSS 3.0

Type
Secondary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Atlassian Confluence Data Center and Server Broken Access Control Vulnerability
Exploit added on
Oct 5, 2023
Exploit action due
Oct 13, 2023
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Check all affected Confluence instances for evidence of compromise per vendor instructions and report any positive findings to CISA.

Weaknesses

nvd@nist.gov
NVD-CWE-noinfo
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-20

Social media

Hype score
Not currently trending

  1. I just completed Confluence CVE-2023-22515 room on TryHackMe! Exploit CVE-2023-22515 to get admin access to Confluence Server and Data Center editions. https://t.co/Qe5LIyD9L7 #tryhackme via @tryhackme #tryhackme #Consistency #cyberverse #vulnerability

    @LittleSun4lower

    19 Apr 2026

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2023-22515 is a CVSS 9.8 Atlassian Confluence zero-day that lets unauthenticated attackers create admin accounts in three HTTP requests — exploited by Chinese APT Storm-0062 for 20 days before the patch existed. https://t.co/Chm9mIbg3C

    @vulnsurge

    26 Mar 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. I just completed Confluence CVE-2023-22515 room on TryHackMe! Exploit CVE-2023-22515 to get admin access to Confluence Server and Data Center editions. https://t.co/7trslcTTWC #tryhackme via @tryhackme

    @ToTo13ru_xakep

    10 Mar 2026

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Day 58/365 tryhackme I just completed Confluence CVE-2023-22515 room on TryHackMe! Exploit CVE-2023-22515 to get admin access to Confluence Server and Data Center editions. https://t.co/q5UfuyXZdy?

    @purpullgirl

    28 Feb 2026

    88 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  5. I just completed Confluence CVE-2023-22515 room on TryHackMe! Exploit CVE-2023-22515 to get admin access to Confluence Server and Data Center editions. https://t.co/q6WoeMnHZO #tryhackme через @tryhackme

    @mrBr4un

    23 Feb 2026

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Confluence 0-day: setup grants admin access Concise incident summary: CVE-2023-22515 in Atlassian Confluence enables unauthenticated users to force Setup Mode, create a persistent admin account, and complete setup, gaining full control. Exploited via curl to /setup/*; urgent

    @Secwiserapp

    16 Feb 2026

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Day 84 of #100DaysOfCybersecurity🛡️ Confluence CVE-2023-22515 lab completed 📷✅ • CVSS 10.0 broken access control flaw 🔥 • Reenables initial setup remotely • Create a new admin with zero auth • Full takeover in one request Actively exploited in the wild ⚠️

    @HezyChacha

    5 Jan 2026

    70 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. I just completed Confluence CVE-2023-22515 room on TryHackMe! Exploit CVE-2023-22515 to get admin access to Confluence Server and Data Center editions. https://t.co/pKFQoJ4lev #tryhackme via @tryhackme

    @HezyChacha

    5 Jan 2026

    51 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2023-22515 – Confluence Broken Access Control Exploit This script is designed to exploit the CVE-2023-22515 vulnerability in Confluence, which allows for unauthorized access to Confluence Server and Confluence Data Center instances. The vulnerability is categorized as a

    @HackingTeam777

    15 Nov 2025

    647 Impressions

    0 Retweets

    5 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  10. GitHub - Chocapikk/CVE-2023-22515: CVE-2023-22515: Confluence Broken Access Control Exploit https://t.co/SZyC4zC5qk

    @akaclandestine

    14 Nov 2025

    902 Impressions

    5 Retweets

    15 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

  11. I just completed Confluence CVE-2023-22515 room on TryHackMe. Exploit CVE-2023-22515 to get admin access to Confluence Server and Data Center editions. https://t.co/FGR2AqY6xR #tryhackme 来自 @realtryhackme

    @GuanShanZhe

    14 Oct 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. CRITICAL CONFLUENCE FLAW! A Broken Access Control (CVE-2023-22515) vulnerability grants attackers Unauthorized Access to Internal Data. Your internal documentation, knowledge base, and secrets are exposed. Read the full report on - https://t.co/IBex3VuWTb https://t.co/lV12ZmaY3Q

    @cyberbivash

    30 Sept 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. I just completed Confluence CVE-2023-22515 room on TryHackMe. Exploit CVE-2023-22515 to get admin access to Confluence Server and Data Center editions. https://t.co/a6TM8wNkKl #tryhackme via @realtryhackme

    @buttbundy

    31 Aug 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. 对 Confluence CVE-2023-22515 的一点分析 漏洞通告分析 由漏洞通告可以定位到 /setup/* 系列路由,刚开始以为直接访问 /setup/setupadministrator.action 添加管理员就行,当搭好环境进行测试时 Dns域名劫持,拖库,外挂等业务

    @hacker_HouZi

    7 Aug 2025

    1035 Impressions

    0 Retweets

    16 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. 对 Confluence CVE-2023-22515 的一点分析 漏洞通告分析 由漏洞通告可以定位到 /setup/* 系列路由,刚开始以为直接访问 /setup/setupadministrator.action 添加管理员就行,当搭好环境进行测试时 Dns域名劫持,拖库,外挂等业务

    @hacker_HouZi

    17 Jul 2025

    1311 Impressions

    0 Retweets

    10 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. Adamlar CVE-2023-22515’den yararlanıp, İSO dosyasında truva yürütüyor. Siz ısrarla kali kurmaya çalışıyorsunuz🤔

    @alpagu995

    18 Dec 2024

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following VulnerabilityCVE-2026-54420
  2. Check Point Security Gateway Improper Authentication VulnerabilityCVE-2026-50751
  3. A path traversal vulnerability exists in the Altium Enterprise Server Vault Service UploadController due to improper validation of a user-controlled path component in image upload requests. An authenticated user can supply a crafted absolute path so that the configured storage root is discarded, allowing arbitrary files to be written to any location on the server filesystem writable by the service account. Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, this can be escalated to remote code execution, service takeover, or denial of service. Altium 365 cloud deployments are not affected, as the affected endpoint is not reachable and the cloud storage architecture mitigates the file-write primitive.CVE-2026-11419
  4. A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forge valid download signatures and retrieve files from the Vault storage area without any authentication, session, or credentials. A separate path traversal vulnerability in the same download endpoint allows the configured storage root to be escaped, enabling reads of arbitrary files on the server filesystem. Combined, these issues allow an unauthenticated attacker to obtain sensitive server configuration and key material, which can lead to full server compromise. The vulnerability can be chained with CVE-2026-9152 to enumerate and bulk-download stored content. Altium 365 cloud deployments are not impacted in practice, as file storage uses object storage rather than the local filesystem.CVE-2026-11414
  5. Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data VulnerabilityCVE-2026-45247

References

Sources include official advisories and independent security research.