CVE-2026-21571
Received Received - Intake
Critical OS Command Injection in Atlassian Bamboo Data Center

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: Atlassian

Description
This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. Β  This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an authenticated attacker to execute commands on the remote system, which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Β  Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bamboo Data Center 9.6.0: Upgrade to a release greater than or equal to 9.6.25 Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.18Β  Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.6 See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21571
EUVD
EUVD-2026-24143
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
atlassian bamboo_data_center From 9.6.25 (inc)
atlassian bamboo_data_center From 10.2.18 (inc)
atlassian bamboo_data_center From 12.1.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an authenticated attacker to execute remote commands on the affected Bamboo Data Center system, which can lead to high impact on confidentiality, integrity, and availability of data.

Such a compromise could potentially result in unauthorized access to sensitive personal or protected health information, thereby affecting compliance with regulations like GDPR and HIPAA that mandate strict controls over data confidentiality and integrity.

However, no specific information is provided in the available resources about direct impacts or guidance related to compliance with these standards.

Executive Summary

CVE-2026-21571 is a critical OS Command Injection vulnerability found in multiple versions of Bamboo Data Center. It allows an authenticated attacker to remotely execute commands on the affected system without requiring any user interaction.

This Remote Code Execution (RCE) vulnerability has a high severity score of 9.4 and impacts confidentiality, integrity, and availability of the system at a high level.

The vulnerability affects Bamboo Data Center versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0, and Atlassian recommends upgrading to fixed versions to mitigate the risk.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote execution of commands on your Bamboo Data Center system.

Such exploitation can lead to high impact on confidentiality, allowing attackers to access sensitive data; high impact on integrity, enabling modification or corruption of data; and high impact on availability, potentially causing system outages or disruptions.

Because it requires only authenticated access and no user interaction, the risk of exploitation is significant if the system is not updated.

Mitigation Strategies

To mitigate this critical OS Command Injection vulnerability in Bamboo Data Center, Atlassian recommends upgrading your Bamboo Data Center instance to the latest version.

If upgrading to the latest version is not possible, upgrade to one of the specified supported fixed versions:

  • For Bamboo Data Center 9.6.0: upgrade to version 9.6.25 or later
  • For Bamboo Data Center 10.2: upgrade to version 10.2.18 or later
  • For Bamboo Data Center 12.1: upgrade to version 12.1.6 or later

Refer to the Bamboo release notes and download the latest version from Atlassian's download center to ensure your system is protected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21571. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart