Confluence SSTI RCE - CVE-2023-22527
by Avento (jeyiuwai) · 2026-05-17
- Severity
- Critical
- CVE
- CVE-2023-22527
- Category
- web
- Affected product
- Atlassian Confluence Data Center and Confluence Server
- Affected versions
- 8.x before 8.5.4 (LTS); versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x affected; 7.x NOT affected
- Disclosed
- 2026-05-17
- Patch status
- patched
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-22527
- https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html
- https://jira.atlassian.com/browse/CONFSERVER-93833
- https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/
- https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/
- https://github.com/Avento/CVE-2023-22527_Confluence_RCE
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-17 |
| Last Updated | 2024-01-23 |
| Author / Researcher | Avento (jeyiuwai) |
| CVE / Advisory | CVE-2023-22527 |
| Category | web |
| Severity | Critical |
| CVSS Score | 10.0 (CVSSv3) |
| Status | Weaponized |
| Tags | RCE, Confluence, SSTI, Freemarker, OGNL, unauthenticated, Java, Atlassian, ransomware |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Atlassian Confluence Data Center and Confluence Server |
| Versions Affected | 8.x before 8.5.4 (LTS); versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x affected; 7.x NOT affected |
| Language / Platform | Java / Apache Tomcat, Apache Struts 2, Velocity/Freemarker |
| Authentication Required | No |
| Network Access Required | Yes |
Summary
CVE-2023-22527 is a CVSS 10.0 unauthenticated Remote Code Execution vulnerability in Atlassian Confluence Data Center and Server. The vulnerability is a Server-Side Template Injection (SSTI) in the Velocity/Freemarker template engine, reachable via the /template/aui/text-inline.vm endpoint without authentication. By injecting OGNL expressions into the label parameter and a command into the x parameter, an attacker can trigger arbitrary OS command execution via freemarker.template.utility.Execute. The vulnerability has been actively exploited by ransomware groups and nation-state actors.
Vulnerability Details
Root Cause
The template file confluence/template/aui/text-inline.vm uses $stack.findValue("getText('$parameters.label')") to evaluate the label parameter through the Velocity template engine. The evaluation chain passes through org.apache.struts2.views.velocity.StrutsVelocityContext#internalGet and org.apache.struts2.views.jsp.ui.OgnlTool#findValue, which evaluates the injected value as an OGNL expression. The OGNL expression can access #request['.KEY_velocity.struts2.context'].internalGet('ognl').findValue(#parameters.x,{}), which in turn evaluates the x POST parameter as a second-stage OGNL expression. This second expression can instantiate freemarker.template.utility.Execute and call exec(), ultimately invoking java.lang.Runtime#exec. The patch adds a ConfluenceOgnlGuard that blocks access to #context, #request, #parameters, #session, #application, and #attr variable references.
Attack Vector
Unauthenticated HTTP POST to /template/aui/text-inline.vm with Content-Type: application/x-www-form-urlencoded. The label parameter contains a URL-encoded OGNL traversal to access the OGNL evaluation context, and the x parameter contains the command to execute via freemarker.template.utility.Execute. The command output is returned in the X-Cmd-Response response header.
Impact
Unauthenticated Remote Code Execution as the Confluence server process user (typically confluence on Linux). Full OS command execution enables data exfiltration, lateral movement, ransomware deployment, and persistent backdoor installation.
Environment / Lab Setup
OS: Linux (Ubuntu 22.04 recommended)
Target: Confluence Data Center 8.x < 8.5.4 (Docker via docker-compose.yml in repo)
Attacker: Kali Linux or any system with Python 3 + requests
Tools: Python 3, requests; Docker + Docker Compose for lab
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
Start vulnerable Confluence - Use provided docker-compose.yml
1docker compose up -dExecute command via SSTI - Inject OGNL through template endpoint
1python CVE-2023-22527.py --target http://<target>:8092 --cmd "id"Verify in access logs - Successful exploitation returns HTTP 200
192.168.11.1 - [23/Jan/2024:06:04:42 +0000] "POST /template/aui/text-inline.vm HTTP/1.1" 200 28906
Exploit Code
See
CVE-2023-22527.pyin this folder.
| |
Expected Output
uid=1000(confluence) gid=1000(confluence) groups=1000(confluence)
Screenshots / Evidence
- Repo includes a diff screenshot showing the vulnerable
text-inline.vmtemplate (external image link).
Detection & Indicators of Compromise
POST /template/aui/text-inline.vm HTTP/1.1 200
SIEM / IDS Rule (example):
alert http any any -> any any (msg:"CVE-2023-22527 Confluence SSTI RCE Attempt"; content:"POST"; http_method; content:"/template/aui/text-inline.vm"; http_uri; content:"KEY_velocity.struts2.context"; http_client_body; sid:9000012;)
Remediation
| Action | Detail |
|---|---|
| Patch | Upgrade to Confluence 8.5.4 (LTS) or later. Confluence 7.x and earlier are NOT affected. |
| Workaround | Restrict external access to /_template/ paths at the network perimeter; block unauthenticated POST requests to /template/aui/ via WAF or reverse proxy. |
| Config Hardening | Apply Atlassian’s ConfluenceOgnlGuard configuration update; disable public-facing Confluence instances or place behind VPN. |
References
- CVE-2023-22527 (NVD)
- Atlassian Security Advisory
- Jira Tracking: CONFSERVER-93833
- ProjectDiscovery Technical Analysis
- GitHub Security Blog - Bypassing OGNL sandboxes
- Source repo: https://github.com/Avento/CVE-2023-22527_Confluence_RCE
Notes
One of the most exploited Confluence vulnerabilities since Log4Shell. The repo includes a docker-compose.yml for setting up a vulnerable lab environment and an all-stack.txt containing the complete call stack trace. The exploit chain goes through Velocity -> StrutsVelocityContext -> OgnlTool -> Freemarker Execute -> Runtime.exec. The command output is exfiltrated via a custom response header (X-Cmd-Response) making detection harder than a typical RCE that returns output in the body. Stars: 26, Forks: 5. Language: Python.
Auto-ingested from https://github.com/Avento/CVE-2023-22527_Confluence_RCE on 2026-05-17.
| |