lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Atlassian Confluence

AtlassianCI/CD7 credentials1 default credential

Credentials7 documented
01

Database Password

atlassian-confluence / database-password

Confluence Server and Data Center store database connection settings in confluence.cfg.xml in the Confluence home directory, unless configured to use an application-server datasource. The configuration includes the database user and password used by Confluence to connect to its relational database.

user definedsecretusername/password

Looks like

pattern
pattern

confluence.cfg.xml database credential pair; the username and password values are arbitrary operator-supplied strings

<property name="hibernate\.connection\.username">[^<]+</property>\s*<property name="hibernate\.connection\.password">[^<]*</property>
pattern

database password property in confluence.cfg.xml; Confluence 9.1+ encrypts database passwords by default using secured secrets

<property name="hibernate\.connection\.password">[^<]*</property>

Location

config file
$CONFLUENCE_HOME/confluence.cfg.xml

Confluence home configuration file

config file
<installation-directory>/conf/server.xml

datasource configuration when Confluence uses a Tomcat datasource

build artifact

Confluence home backups, migration bundles, VM snapshots, support zips

Notes

Atlassian documents confluence.cfg.xml as an important Confluence home file and datasource setup as touching server.xml, web.xml, and confluence.cfg.xml. Database access commonly exposes page content, attachments metadata, user directories, plugin configuration, and integration state outside the Confluence application layer.

02

Local User / Administrator Password

atlassian-confluence / local-user-admin-password

Confluence local users, including the administrator created during setup, authenticate with passwords stored in Confluence's configured user directory. For the internal directory, the password hash is stored in the Confluence database rather than in confluence.cfg.xml.

user definedsecretusername/password

Looks like

pattern
pattern

Confluence internal-directory password material in the database; the exact hash value has no Confluence-specific textual prefix and is identified by table and column context

cwd_user.*credential
pattern

raw Basic-auth username:password form before Base64 encoding; context is required because the password itself is arbitrary

[^\\s:@]+@[^\\s:@]+:[^\\s:]+

Location

database

Confluence internal user directory tables, including cwd_user credential data

public interface
/login.action

Confluence web login for local users and administrators

public interface
/rest/api/*

REST API Basic authentication in Server/Data Center deployments

source code

legacy publishing scripts and integrations that embed username/password auth

Notes

There is no universal shipped Confluence administrator password. The initial administrator is created by the setup flow or by an operator, and later users may be local, LDAP-backed, SSO-backed, or externally managed. Include literal passwords only for product-specific defaults or CVE-backed hardcoded accounts, not for Confluence as a generic product.

03

Questions App Hardcoded User

atlassian-confluence / questions-hardcoded-disabledsystemuser

Vulnerable versions of the Questions for Confluence app created a Confluence user account named disabledsystemuser with a hardcoded password. The account was added to confluence-users and could be used by a remote unauthenticated attacker who knew the password.

undocumentedstatic defaultsecretusername/password

Looks like

pattern
pattern

hardcoded username created by vulnerable Questions for Confluence app versions; the cited CVE confirms a hardcoded password but does not publish a literal password value in the NVD text

disabledsystemuser

Location

database

Confluence user directory tables after installing affected app versions

public interface
/login.action

Confluence web login reachable to remote attackers

Notes

CVE-2022-26138 affects Questions for Confluence app versions 2.7.34, 2.7.35, and 3.0.2, not every Confluence installation. Because the cited authoritative source does not state a literal password, this entry documents the hardcoded account and storage context without a default block.

04

Data Center Personal Access Token

atlassian-confluence / data-center-personal-access-token

Confluence Data Center and Server support personal access tokens for scripts and external integrations. Atlassian documents PATs as bearer tokens supplied in the Authorization header for REST API calls.

user definedsecrettoken

Looks like

pattern
pattern

no documented Confluence-specific token prefix; identify Data Center PATs by bearer-token use against Confluence REST endpoints

Authorization:\s*Bearer\s+[^\s]+

Location

environment
CONFLUENCE_TOKEN, CONFLUENCE_PAT, ATLASSIAN_TOKEN
source code

automation scripts, curl commands, CI jobs, publishing tools

logs

REST client debug logs when Authorization headers are printed

secret store

CI/CD variables and deployment-platform secret stores

Notes

PATs are safer than embedding a user password in scripts, but they are still bearer credentials. The token carries the creating user's Confluence permissions until expiration or revocation.

05

Atlassian Cloud API Token

atlassian-confluence / cloud-api-token

Confluence Cloud REST clients authenticate with an Atlassian account email address and API token using HTTP Basic authentication. Atlassian documents the Basic header as the base64 form of email:api-token.

user definedsecrettoken

Looks like

pattern
pattern

Base64-encoded Atlassian account email and API token; decode context is required because the token has no fixed Confluence-specific prefix

Authorization:\s*Basic\s+[A-Za-z0-9+/=]+
pattern

raw Basic-auth email:api-token form used by curl --user before it is Base64 encoded

[^\s:@]+@[^\s:@]+:[^\s:]+

Location

source code

publishing scripts, documentation automation, custom REST integrations

environment
ATLASSIAN_EMAIL, ATLASSIAN_API_TOKEN, CONFLUENCE_API_TOKEN
config file

local REST client configuration and integration settings

secret store

CI/CD variables and cloud secret managers used by integrations

Notes

This token belongs to the Atlassian account, not only to one Confluence site. Its practical blast radius is determined by the account's access across Atlassian Cloud applications that accept the same account token.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.