Skip to main content

Bamboo Data Center CVE-2026-21571

| EUVDEUVD-2026-24143 CRITICAL
OS Command Injection (CWE-78)
2026-04-21 security@atlassian.com GHSA-6jpg-3x8j-cwmr
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 21, 2026 - 18:22 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 17:35 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:22 euvd
EUVD-2026-24143
Analysis Generated
Apr 21, 2026 - 17:22 vuln.today
CVE Published
Apr 21, 2026 - 17:16 nvd
CRITICAL 9.4

DescriptionCVE.org

This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center.

This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an authenticated attacker to execute commands on the remote system, which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.

Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bamboo Data Center 9.6.0: Upgrade to a release greater than or equal to 9.6.25 Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.18 Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.6

See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).

AnalysisAI

Remote code execution in Atlassian Bamboo Data Center versions 9.6.0 through 12.1.0 allows authenticated attackers to execute arbitrary OS commands via command injection vulnerability. The attack requires low-privilege authentication (PR:L) but no user interaction, enabling complete system compromise across confidentiality, integrity, and availability with cross-scope impact (SC:H/SI:H/SA:H indicating container escape or lateral movement potential). Atlassian has released patches for three major version branches (9.6.25, 10.2.18, 12.1.6). No active exploitation confirmed in CISA KEV at time of analysis, though the authenticated nature and critical CVSS 9.4 score warrant immediate patching for internet-exposed instances with broad user access.

Technical ContextAI

Bamboo Data Center is Atlassian's enterprise continuous integration and deployment server platform, designed for clustered high-availability deployments. This vulnerability represents a CWE-78 class OS Command Injection flaw where user-controlled input is passed unsanitized to system shell commands. The affected versions span multiple major releases (9.6.0, 10.x, 11.x, 12.x), suggesting the vulnerable code path was introduced in version 9.6.0 and persisted through subsequent release cycles. The CVSS 4.0 vector's cross-scope impact metrics (SC:H/SI:H/SA:H) indicate the vulnerability enables attackers to break out of application security boundaries-potentially executing commands with higher privilege contexts than the application service account, or achieving container escape in containerized deployments. The PR:L (low privilege required) designation means any authenticated user account, not just administrators, can exploit this vulnerability, significantly expanding the attack surface in organizations with numerous CI/CD users or service accounts.

RemediationAI

Atlassian has released patches across three supported major version branches: upgrade to Bamboo Data Center 9.6.25 or later (for 9.6.x users), 10.2.18 or later (for 10.x users), or 12.1.6 or later (for 12.x users). Users on unsupported 11.x versions should migrate to the 12.1.6+ branch. Download patched releases from the Atlassian Bamboo download archives (https://www.atlassian.com/software/bamboo/download-archives) and follow upgrade procedures in the release notes (https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html). If immediate patching is not feasible, implement network segmentation to restrict Bamboo access to trusted IP ranges only via firewall rules, enforce multi-factor authentication for all user accounts to raise credential compromise difficulty, conduct audit of all user accounts to disable unnecessary or orphaned credentials, enable detailed command execution logging to detect exploitation attempts, and consider temporarily disabling Bamboo external network access if business continuity allows. Note these compensating controls only reduce attack surface and do not eliminate the vulnerability-patching remains the only complete remediation. No workarounds or configuration changes can mitigate this command injection flaw according to vendor advisory.

CVE-2023-22515 CRITICAL POC
9.8 Oct 04

Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited

CVE-2015-5603 MEDIUM POC
6.5 Sep 21

The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java

CVE-2015-8399 MEDIUM POC
4.3 Apr 11

Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName p

CVE-2012-2926 CRITICAL POC
9.1 May 22

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible bef

CVE-2014-2314 MEDIUM POC
4.3 Mar 09

Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers t

CVE-2023-22518 CRITICAL POC
9.8 Oct 31

All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. Rated critical severit

CVE-2022-26134 CRITICAL POC
9.8 Jun 03

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an un

CVE-2019-11580 CRITICAL POC
9.8 Jun 03

Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Rated

CVE-2017-9506 MEDIUM POC
6.1 Aug 23

The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before

CVE-2024-21683 HIGH POC
8.8 May 21

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data Center and

CVE-2022-36804 HIGH POC
8.8 Aug 25

Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 bef

CVE-2017-5983 CRITICAL POC
9.8 Apr 10

The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer,

Share

CVE-2026-21571 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy