CVE-2026-21571
Critical OS Command Injection in Atlassian Bamboo Data Center
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: Atlassian
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| atlassian | bamboo_data_center | From 9.6.25 (inc) |
| atlassian | bamboo_data_center | From 10.2.18 (inc) |
| atlassian | bamboo_data_center | From 12.1.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21571 is a critical OS Command Injection vulnerability found in multiple versions of Bamboo Data Center. It allows an authenticated attacker to remotely execute commands on the affected system without requiring any user interaction.
This Remote Code Execution (RCE) vulnerability has a high severity score of 9.4 and impacts confidentiality, integrity, and availability of the system at a high level.
The vulnerability affects Bamboo Data Center versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0, and Atlassian recommends upgrading to fixed versions to mitigate the risk.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote execution of commands on your Bamboo Data Center system.
Such exploitation can lead to high impact on confidentiality, allowing attackers to access sensitive data; high impact on integrity, enabling modification or corruption of data; and high impact on availability, potentially causing system outages or disruptions.
Because it requires only authenticated access and no user interaction, the risk of exploitation is significant if the system is not updated.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this critical OS Command Injection vulnerability in Bamboo Data Center, Atlassian recommends upgrading your Bamboo Data Center instance to the latest version.
If upgrading to the latest version is not possible, upgrade to one of the specified supported fixed versions:
- For Bamboo Data Center 9.6.0: upgrade to version 9.6.25 or later
- For Bamboo Data Center 10.2: upgrade to version 10.2.18 or later
- For Bamboo Data Center 12.1: upgrade to version 12.1.6 or later
Refer to the Bamboo release notes and download the latest version from Atlassian's download center to ensure your system is protected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to execute remote commands on the affected Bamboo Data Center system, which can lead to high impact on confidentiality, integrity, and availability of data.
Such a compromise could potentially result in unauthorized access to sensitive personal or protected health information, thereby affecting compliance with regulations like GDPR and HIPAA that mandate strict controls over data confidentiality and integrity.
However, no specific information is provided in the available resources about direct impacts or guidance related to compliance with these standards.