How to Fix CVE-2023-22518: Atlassian Confluence Data Loss via Improper Authorization

*By Sai Kiran Pandrala*

⚠️ Patch and lock down. Ransomware crews started chaining this for full data destruction within days of disclosure. CISA added it to KEV on November 7, 2023. Confluence Cloud is NOT affected.

What is CVE-2023-22518?

A core authorization check in Confluence Data Center and Server is missing on certain administrative endpoints. An unauthenticated remote attacker can call those endpoints and reset the Confluence instance, wiping content, creating new administrator accounts, and effectively taking over the wiki.

Atlassian's original advisory called this an "Improper Authorization" issue and emphasized the data loss aspect over RCE. In practice, attackers used CVE-2023-22518 to:

1. Reset Confluence to a fresh-install state, destroying years of content.
2. Create a new admin account.
3. Install malicious apps that gave them code execution.

The Cerber ransomware group was publicly documented using this chain in November 2023 to encrypt or destroy Confluence-hosted data and demand ransoms.

Am I affected?

You are affected if you run self-managed Confluence Data Center or Confluence Server at any version below the fixed builds:

• 7.19.x train: below 7.19.16
• 8.3.x train: below 8.3.4
• 8.4.x train: below 8.4.4
• 8.5.x train: below 8.5.3
• 8.6.x train: below 8.6.1
• Anything older than 7.19, out of support, urgent migration needed

Atlassian Cloud Confluence is NOT affected (managed by Atlassian).

To check your version:

1. Log into Confluence as admin → ⚙ → General Configuration, version is on the page header.
2. Or from the install host:

# Vendor advisory: https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907
   cat <confluence-install>/confluence/META-INF/MANIFEST.MF | grep Implementation-Version

How to fix CVE-2023-22518

1. Take Confluence off the public internet immediately if it is exposed. This buys you the patch window. Self-managed Confluence rarely needs public exposure.

1. Back up the database and <confluence-home> before any upgrade. With a CVE this severe, ransomware crews specifically target Confluence, your backup IS your recovery plan.

1. Download the patched installer for your train from https://www.atlassian.com/software/confluence/download-archives. Minimum patched builds:

- On 7.19.x → 7.19.16 (LTS)

- On 8.3.x → 8.3.4 (out of mainstream support, upgrade to LTS recommended)

- On 8.4.x → 8.4.4

- On 8.5.x → 8.5.3 (LTS, recommended target)

- On 8.6.x → 8.6.1

1. Stop Confluence cleanly:

# Vendor advisory: https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907
   sudo systemctl stop confluence
   # or
   <confluence-install>/bin/stop-confluence.sh

1. Run the installer in upgrade mode. It preserves your <confluence-home> and database connection. Follow the prompts.

1. Start Confluence and tail <confluence-home>/logs/atlassian-confluence.log for clean startup. Re-indexing takes 10-60 minutes depending on content size.

1. For Data Center clusters, do rolling upgrades: drain a node from the load balancer, upgrade, validate, return to rotation, move to next node.

If you can't patch immediately

Atlassian provided an interim mitigation in their advisory: take affected instances off the network until patched. There is no application-layer workaround that closes the vulnerable endpoints while leaving Confluence functional.

If "off the network" is not possible:

• Restrict network access to a small set of known administrative IPs at the firewall.
• Block specific exploit paths at a WAF. Public WAF rules covering the known exploit patterns were published by Cloudflare, Akamai, and AWS in early November 2023. WAF rules are detection-grade, not remediation.
• Increase logging and monitor for unauthorized admin-account creation and unexpected app installs via UPM.

These are bridge controls only.

How to verify the fix worked

1. After upgrade, confirm the running version on the General Configuration page (or via the manifest file). It should match or exceed the minimum patched build for your train.

1. Run the IoC hunt:

- Check Confluence audit logs for admin accounts created during the unpatched window (October 2023 to your patch date). Investigate any account you don't recognize.

- Check the User Management section for unfamiliar admin-group members.

- Check the App Management (UPM) section for plugins you didn't install, Cerber and follow-on attackers were known to install malicious plugins for persistence.

- Search Confluence install dirs for unexpected .jsp or .war files dated after October 31, 2023.

1. Test the previously-vulnerable endpoint with an unauthenticated request, the response should be a 401 or 403, not the previous successful action.

1. Run a vulnerability scan against the Confluence URL. The CVE-2023-22518 detection should clear.

Frequently asked questions

Is CVE-2023-22518 still being exploited?

Yes. The Cerber ransomware group used it heavily in late 2023 and early 2024. Public exploit tooling is widely available. Unpatched, internet-reachable Confluence should be assumed compromised.

What's the difference between CVE-2023-22518 and CVE-2023-22515?

CVE-2023-22515 was an earlier (October 2023) Confluence authorization vulnerability that allowed unauthenticated admin account creation. CVE-2023-22518 was disclosed the following month and is a separate authorization gap with broader impact (full reset capability). They have different patch builds, confirm against the advisory for each.

Is Confluence Cloud affected?

No. Atlassian patched Cloud on the disclosure date. Only self-managed Data Center and Server need manual patching.

References

• Official Atlassian advisory: https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907
• Atlassian issue tracker: https://jira.atlassian.com/browse/CONFSERVER-93142
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-22518
• CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Related: How to Fix CVE-2023-22527 (Confluence template injection)

*This guide was assembled from the official Atlassian advisory, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against Atlassian's advisory before applying changes in production.*