Cloudflare customers are protected from the Atlassian Confluence CVE-2022-26134

On June 2, 2022, Atlassian issued a security advisory for their Confluence Server and Data Center applications, warning of a critical severity unauthenticated remote code execution vulnerability (CVE-2022-26134). The flaw affects all versions of Confluence Server and Data Center versions greater than 1.3.0. Atlassian has released a patch, urging customers to update immediately. Cloudflare's WAF and Access features already protect their customers from this vulnerability. On June 2, 2022, at 23:38 UTC, Cloudflare deployed an emergency release with a mitigation rule for the vulnerability. This rule automatically protected all websites using Cloudflare WAF, including free customers. Access users were also protected from external exploitation attempts before the emergency release.