CVE-2023-22527 - RCE (Remote Code Execution) Vulnerability In Confluence Data Center and Confluence Server

Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an domain, it is hosted by Atlassian and is not vulnerable to this issue.

SummaryCVE-2023-22527 - RCE (Remote Code Execution) Vulnerability in Out-of-Date Versions of Confluence Data Center and Server
Advisory Release DateTue, Jan 16 2024 01:00 EST
  • Confluence Data Center
  • Confluence Server
CVE IDCVE-2023-22527
Related Jira Ticket(s)

Summary of Vulnerability

A template injection vulnerability on out-of-date versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected version. Customers using an affected version must take immediate action.

Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.

See “What You Need to Do” for detailed instructions.


Atlassian rates the severity level of this vulnerability as critical (10.0 with the following vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) per our internal assessment.
This is our assessment, and you should evaluate its applicability to your own IT environment.

Affected Versions

This RCE (Remote Code Execution) vulnerability affects out-of-date Confluence Data Center and Server 8 versions released before Dec. 5, 2023 as well as 8.4.5 which no longer receives backported fixes in accordance with our Security Bug Fix Policy. Atlassian recommends patching to the latest version.

Note: 7.19.x LTS versions are not affected by this vulnerability

ProductAffected Versions
Confluence Data Center and Server
  • 8.0.x
  • 8.1.x
  • 8.2.x
  • 8.3.x
  • 8.4.x
  • 8.5.0-8.5.3

What You Need To Do

Immediately patch to the latest version

If you are on an out-of-date version, you must immediately patch. Atlassian recommends that you patch each of your affected installations to the latest version available. The listed Fixed Versions are no longer the most up-to-date and do not protect your instance from other non-critical vulnerabilities as outlined in Atlassian’s January Security Bulletin.

ProductFixed VersionsLatest Versions
Confluence Data Center and Server
  • 8.5.4 (LTS)
  • 8.5.5 (LTS)

Confluence Data Center
  • 8.6.0 (Data Center Only)
  • 8.7.1 (Data Center Only)
  • 8.7.2 (Data Center Only)


There are no known workarounds. To remediate this vulnerability, update each affected product installation to the latest version.


This vulnerability was discovered by Petrus Viet and reported via our Bug Bounty program.


If you did not receive an email for this advisory, and you wish to receive such emails in the future go to and subscribe to Tech Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at

Frequently Asked Questions (FAQ)

More details can be found on the Frequently Asked Questions (FAQ) page.


Security Bug Fix PolicyAs per our new policy critical security bug fixes will be back ported. We will release new maintenance releases for the versions covered by the policy instead of binary patches.
Binary patches are no longer released.
Security Levels for Security IssuesAtlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at
End of Life PolicyOur end of life policy varies for different products. Please refer to our EOL Policy for details.
Last modified on Jan 16, 2024

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.