CrowdSec
5/10CrowdSec Score

Bitbucket Server - RCE (CVE-2022-36804)

Published on25-08-2022
First seen on11-08-2025
CVSS 8.8/10Atlassian - Bitbucket ServerAtlassian - Bitbucket Data Center

2Exploiting IPs reported

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. This vulnerability was reported via our Bug Bounty Program by TheGrandPew.

CrowdSec analysis

CVE-2022-36804 is a high-severity vulnerability in Atlassian Bitbucket Server and Data Center that allows remote attackers with read access to a repository to execute arbitrary code by sending specially crafted HTTP requests. This flaw could be exploited to compromise the integrity, confidentiality, and availability of affected Bitbucket instances, potentially leading to full system takeover or data breaches.

CrowdSec has been tracking this vulnerability and its exploits since 24th of July 2025.

CrowdSec network data shows that most actors exploiting CVE-2022-36804 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. CrowdSec data also reveals a clear uptick in attacks involving CVE-2022-36804 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit Bitbucket's archive API endpoint by injecting command execution payloads into the prefix parameter, allowing remote code execution on the server. The attack targets URLs like /rest/api/latest/projects/<key>/repos/<slug>/archive with crafted query strings.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Common Weakness Enumeration (CWE)

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.

References