CVE-2026-21571: OS Command Injection in Atlassian Bamboo Data Center
This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an authenticated attacker to execute commands on the remote system, which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bamboo Data Center 9.6.0: Upgrade to a release greater than or equal to 9.6.25 Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.18 Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.6 See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
AI Analysis
Technical Summary
This vulnerability is an OS Command Injection in Atlassian Bamboo Data Center affecting multiple versions from 9.6.0 to 12.1.3. It enables remote code execution by an authenticated attacker with low privileges and requires no user interaction. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no attack prerequisites, and high impacts across confidentiality, integrity, availability, and security requirements. Atlassian has released fixed versions and advises upgrading to these versions to remediate the issue.
Potential Impact
An authenticated attacker with low privileges can execute arbitrary OS commands on the Bamboo Data Center server remotely. This can lead to full compromise of the system, affecting confidentiality, integrity, and availability of the affected environment. The vulnerability is rated critical with a CVSS score of 9.4. No public exploits have been reported so far.
Mitigation Recommendations
Atlassian recommends upgrading Bamboo Data Center to the latest available version. Specifically, upgrade to versions greater than or equal to 9.6.25, 10.2.18, or 12.1.6 depending on your current version line. Patch status is confirmed by the vendor advisory. If immediate upgrade is not possible, prioritize planning for an update as no temporary fixes or workarounds are indicated.
CVE-2026-21571: OS Command Injection in Atlassian Bamboo Data Center
Description
This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an authenticated attacker to execute commands on the remote system, which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bamboo Data Center 9.6.0: Upgrade to a release greater than or equal to 9.6.25 Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.18 Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.6 See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability is an OS Command Injection in Atlassian Bamboo Data Center affecting multiple versions from 9.6.0 to 12.1.3. It enables remote code execution by an authenticated attacker with low privileges and requires no user interaction. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no attack prerequisites, and high impacts across confidentiality, integrity, availability, and security requirements. Atlassian has released fixed versions and advises upgrading to these versions to remediate the issue.
Potential Impact
An authenticated attacker with low privileges can execute arbitrary OS commands on the Bamboo Data Center server remotely. This can lead to full compromise of the system, affecting confidentiality, integrity, and availability of the affected environment. The vulnerability is rated critical with a CVSS score of 9.4. No public exploits have been reported so far.
Mitigation Recommendations
Atlassian recommends upgrading Bamboo Data Center to the latest available version. Specifically, upgrade to versions greater than or equal to 9.6.25, 10.2.18, or 12.1.6 depending on your current version line. Patch status is confirmed by the vendor advisory. If immediate upgrade is not possible, prioritize planning for an update as no temporary fixes or workarounds are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- atlassian
- Date Reserved
- 2026-01-01T00:00:40.720Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7b0e319fe3cd2cde9a455
Added to database: 4/21/2026, 5:16:19 PM
Last enriched: 4/21/2026, 5:32:55 PM
Last updated: 4/22/2026, 7:28:23 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.