Atlassian Confluence
AtlassianCI/CD7 credentials1 default credential
Database Password
atlassian-confluence / database-password
Confluence Server and Data Center store database connection settings in confluence.cfg.xml in the Confluence home directory, unless configured to use an application-server datasource. The configuration includes the database user and password used by Confluence to connect to its relational database.
Looks like
pattern<property name="hibernate\.connection\.username">[^<]+</property>\s*<property name="hibernate\.connection\.password">[^<]*</property><property name="hibernate\.connection\.password">[^<]*</property>Location
$CONFLUENCE_HOME/confluence.cfg.xmlConfluence home configuration file
<installation-directory>/conf/server.xmldatasource configuration when Confluence uses a Tomcat datasource
Confluence home backups, migration bundles, VM snapshots, support zips
Notes
Atlassian documents confluence.cfg.xml as an important Confluence home file and datasource setup as touching server.xml, web.xml, and confluence.cfg.xml. Database access commonly exposes page content, attachments metadata, user directories, plugin configuration, and integration state outside the Confluence application layer.
Local User / Administrator Password
atlassian-confluence / local-user-admin-password
Confluence local users, including the administrator created during setup, authenticate with passwords stored in Confluence's configured user directory. For the internal directory, the password hash is stored in the Confluence database rather than in confluence.cfg.xml.
Looks like
patterncwd_user.*credential[^\\s:@]+@[^\\s:@]+:[^\\s:]+Location
Confluence internal user directory tables, including cwd_user credential data
/login.actionConfluence web login for local users and administrators
/rest/api/*REST API Basic authentication in Server/Data Center deployments
legacy publishing scripts and integrations that embed username/password auth
Notes
There is no universal shipped Confluence administrator password. The initial administrator is created by the setup flow or by an operator, and later users may be local, LDAP-backed, SSO-backed, or externally managed. Include literal passwords only for product-specific defaults or CVE-backed hardcoded accounts, not for Confluence as a generic product.
Questions App Hardcoded User
atlassian-confluence / questions-hardcoded-disabledsystemuser
Vulnerable versions of the Questions for Confluence app created a Confluence user account named disabledsystemuser with a hardcoded password. The account was added to confluence-users and could be used by a remote unauthenticated attacker who knew the password.
Looks like
patterndisabledsystemuserLocation
Confluence user directory tables after installing affected app versions
/login.actionConfluence web login reachable to remote attackers
Notes
CVE-2022-26138 affects Questions for Confluence app versions 2.7.34, 2.7.35, and 3.0.2, not every Confluence installation. Because the cited authoritative source does not state a literal password, this entry documents the hardcoded account and storage context without a default block.
Data Center Personal Access Token
atlassian-confluence / data-center-personal-access-token
Confluence Data Center and Server support personal access tokens for scripts and external integrations. Atlassian documents PATs as bearer tokens supplied in the Authorization header for REST API calls.
Looks like
patternAuthorization:\s*Bearer\s+[^\s]+Location
CONFLUENCE_TOKEN, CONFLUENCE_PAT, ATLASSIAN_TOKENautomation scripts, curl commands, CI jobs, publishing tools
REST client debug logs when Authorization headers are printed
CI/CD variables and deployment-platform secret stores
Notes
PATs are safer than embedding a user password in scripts, but they are still bearer credentials. The token carries the creating user's Confluence permissions until expiration or revocation.
Atlassian Cloud API Token
atlassian-confluence / cloud-api-token
Confluence Cloud REST clients authenticate with an Atlassian account email address and API token using HTTP Basic authentication. Atlassian documents the Basic header as the base64 form of email:api-token.
Looks like
patternAuthorization:\s*Basic\s+[A-Za-z0-9+/=]+[^\s:@]+@[^\s:@]+:[^\s:]+Location
publishing scripts, documentation automation, custom REST integrations
ATLASSIAN_EMAIL, ATLASSIAN_API_TOKEN, CONFLUENCE_API_TOKENlocal REST client configuration and integration settings
CI/CD variables and cloud secret managers used by integrations
Notes
This token belongs to the Atlassian account, not only to one Confluence site. Its practical blast radius is determined by the account's access across Atlassian Cloud applications that accept the same account token.
Application Link Basic Auth Credential
atlassian-confluence / application-link-basic-auth
Confluence application links can use Basic HTTP authentication for connecting Atlassian applications and integrations. The configured username and password are integration credentials stored with the link configuration.
Looks like
patternAuthorization:\s*Basic\s+[A-Za-z0-9+/=]+Location
Confluence application-link and plugin tables that persist integration settings
exported application-link or integration configuration
HTTP client debug logs and reverse-proxy logs if headers are captured
Notes
Basic-auth application links are legacy but still appear in older Atlassian estates. Treat the stored credential as the configured integration or service account, which often has broad space access.
Application Link OAuth Private Key
atlassian-confluence / application-link-oauth-private-key
Confluence application links can use OAuth for authenticated communication with other Atlassian applications. OAuth configurations rely on key material or application-link secrets that should be treated as integration credentials.
Looks like
pattern-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----Location
Confluence application-link and plugin tables for OAuth configuration
exported or scripted application-link configuration
database dumps and Confluence migration backups
Notes
The credential is scoped to the linked application trust relationship, not to an individual user password. Exposure can let an attacker forge or impersonate integration traffic depending on the configured OAuth mode and linked-application permissions.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.