SB2026060234 - Multiple vulnerabilities in Confluence Data Center
Published: June 2, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2026-29146)
CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to decrypt protected communications.
The vulnerability exists due to the use of a padding-oracle-prone cryptographic mode in EncryptInterceptor when processing encrypted traffic with the default CBC configuration. A remote attacker can perform a padding oracle attack to decrypt protected communications.
2) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2026-34487)
CWE-ID: CWE-532 - Information Exposure Through Log Files
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into log output in the cloud membership for clustering component when writing log messages. A remote attacker can trigger log entries that expose the Kubernetes bearer token to disclose sensitive information.
3) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-24880)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform request smuggling.
The vulnerability exists due to improper input validation in HTTP/1.1 chunk extension handling when parsing chunked requests. A remote attacker can send a specially crafted request with an invalid chunk extension to perform request smuggling.
Exploitation requires a reverse proxy in front of Tomcat that allows CRLF sequences in an otherwise valid chunk extension.
4) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-34483)
CWE-ID: CWE-116 - Improper Encoding or Escaping of Output
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary JSON into the JSON access log.
The vulnerability exists due to incomplete escaping in the JSON access log when handling requests with non-default Connector attributes relaxedPathChars and/or relaxedQueryChars. A remote attacker can send a specially crafted request to inject arbitrary JSON into the JSON access log.
Only configurations using non-default values for relaxedPathChars and/or relaxedQueryChars are affected.
5) Input validation error (CVE-ID: CVE-2026-33750)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in sequence generation in expand() when parsing a brace pattern with a zero step value. A remote attacker can supply a specially crafted pattern to cause a denial of service.
User interaction is required to process the crafted input.
6) Improper Certificate Validation (CVE-ID: CVE-2026-29145)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass certificate revocation checks during authentication.
The vulnerability exists due to improper certificate validation in CLIENT_CERT authentication when processing OCSP checks in some scenarios with soft fail disabled. A remote user can present a certificate in affected scenarios to bypass certificate revocation checks during authentication.
Only some scenarios are affected when soft fail is disabled.
7) Improper authorization (CVE-ID: CVE-2026-24734)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to incomplete OCSP verification checks. When using an OCSP responder, Tomcat's FFM integration with OpenSSL does not complete verification or freshness checks on the OCSP response. A remote attacker can bypass certificate revocation and gain unauthorized access to the application.
8) Buffer overflow (CVE-ID: CVE-2026-29062)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error in UTF8DataInputJsonParser when parsing deeply nested JSON files. A remote attacker can pass a specially JSON data to the application and perform a denial of service attack.
Note, the vulnerability exists due to the fix for #VU112106 (CVE-2025-52999) has not been properly applied for the 3.x branch.
Remediation
Install update from vendor's website.
References
- https://jira.atlassian.com/browse/CONFSERVER-103647
- https://jira.atlassian.com/browse/CONFSERVER-103633
- https://jira.atlassian.com/browse/CONFSERVER-103707
- https://jira.atlassian.com/browse/CONFSERVER-103708
- https://jira.atlassian.com/browse/CONFSERVER-103710
- https://jira.atlassian.com/browse/CONFSERVER-103709
- https://jira.atlassian.com/browse/CONFSERVER-103712
- https://jira.atlassian.com/browse/CONFSERVER-103713