CVE-2026-21571: OS Command Injection in Atlassian Bamboo Data Center
This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an authenticated attacker to execute commands on the remote system, which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bamboo Data Center 9.6.0: Upgrade to a release greater than or equal to 9.6.25 Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.18 Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.6 See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
AI Analysis
Technical Summary
CVE-2026-21571 is an OS Command Injection vulnerability affecting multiple versions of Atlassian Bamboo Data Center (from 9.6.0 to 12.1.3). It permits an authenticated attacker with low privileges to execute arbitrary system commands remotely, resulting in remote code execution. The vulnerability has a CVSS 4.0 base score of 9.4, reflecting its critical severity and high impact on system confidentiality, integrity, and availability. Atlassian has released fixed versions to address this issue and strongly recommends upgrading to these patched releases. The vulnerability is tracked under CWE-78 (Improper Neutralization of Special Elements used in an OS Command).
Potential Impact
An authenticated attacker with low privileges can exploit this vulnerability to execute arbitrary OS commands on the Bamboo Data Center server remotely. This can lead to full compromise of the affected system, including unauthorized access to sensitive data, modification or deletion of data, and disruption of service availability. The high CVSS score and vector indicate that exploitation requires no user interaction and has a broad impact on security properties.
Mitigation Recommendations
Atlassian recommends upgrading affected Bamboo Data Center instances to fixed versions: 9.6.25 or later for the 9.6.x line, 10.2.18 or later for the 10.2.x line, and 12.1.6 or later for the 12.1.x line. Users unable to upgrade immediately should prioritize planning an upgrade as no temporary or partial mitigations are specified. Patch status is confirmed by the vendor advisory and release notes. No cloud service is involved, so remediation is the responsibility of the Bamboo Data Center administrators.
CVE-2026-21571: OS Command Injection in Atlassian Bamboo Data Center
Description
This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an authenticated attacker to execute commands on the remote system, which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bamboo Data Center 9.6.0: Upgrade to a release greater than or equal to 9.6.25 Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.18 Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.6 See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
CVSS v4.0
Score 9.4critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-21571 is an OS Command Injection vulnerability affecting multiple versions of Atlassian Bamboo Data Center (from 9.6.0 to 12.1.3). It permits an authenticated attacker with low privileges to execute arbitrary system commands remotely, resulting in remote code execution. The vulnerability has a CVSS 4.0 base score of 9.4, reflecting its critical severity and high impact on system confidentiality, integrity, and availability. Atlassian has released fixed versions to address this issue and strongly recommends upgrading to these patched releases. The vulnerability is tracked under CWE-78 (Improper Neutralization of Special Elements used in an OS Command).
Potential Impact
An authenticated attacker with low privileges can exploit this vulnerability to execute arbitrary OS commands on the Bamboo Data Center server remotely. This can lead to full compromise of the affected system, including unauthorized access to sensitive data, modification or deletion of data, and disruption of service availability. The high CVSS score and vector indicate that exploitation requires no user interaction and has a broad impact on security properties.
Mitigation Recommendations
Atlassian recommends upgrading affected Bamboo Data Center instances to fixed versions: 9.6.25 or later for the 9.6.x line, 10.2.18 or later for the 10.2.x line, and 12.1.6 or later for the 12.1.x line. Users unable to upgrade immediately should prioritize planning an upgrade as no temporary or partial mitigations are specified. Patch status is confirmed by the vendor advisory and release notes. No cloud service is involved, so remediation is the responsibility of the Bamboo Data Center administrators.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- atlassian
- Date Reserved
- 2026-01-01T00:00:40.720Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7b0e319fe3cd2cde9a455
Added to database: 4/21/2026, 5:16:19 PM
Last enriched: 4/29/2026, 11:05:13 AM
Last updated: 6/5/2026, 12:47:54 AM
Views: 59
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.