CVE-2026-21570

Medienbericht

EPSS 0.61%
Veröffentlicht 17.03.2026 18:00:00
Zuletzt bearbeitet 18.03.2026 14:52:44
Quelle security@atlassian.com
CVE-Watchlists
Login
Unerledigt
Login

This High severity RCE (Remote Code Execution)  vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center.

This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.6, allows an authenticated attacker to execute malicious code on the remote system.

Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
 Bamboo Data Center 9.6: Upgrade to a release greater than or equal to 9.6.24

 Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.16

 Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.3

See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).

This vulnerability was reported via our Atlassian (Internal) program.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerAtlassian

≫

Produkt Bamboo Data Center

Version 12.1.0 to 12.1.2

Status affected

Version 12.0.0 to 12.0.2

Status affected

Version 11.0.0 to 11.0.8

Status affected

Version 10.2.0 to 10.2.15

Status affected

Version 10.1.0 to 10.1.1

Status affected

Version 10.0.0 to 10.0.3

Status affected

Version 9.6.1 to 9.6.23

Status affected

Version 12.1.3

Status unaffected

Version 10.2.16

Status unaffected

Version 9.6.24

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.61%	0.696

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@atlassian.com	8.6	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://thehackernews.com/2026/03/weekly-recap-cicd-backdoor-fbi-buys.html

Medienbericht

TheHackersNews

23.03.2026 15:22

https://www.heise.de/news/Sicherheitspatches-Schadcode-Attacken-auf-Atlassian-Bamboo-moeglich-11221108.html

Medienbericht

heise Security

23.03.2026 11:37

https://confluence.atlassian.com/pages/viewpage.action?pageId=1721271371

https://jira.atlassian.com/browse/BAM-26342

https://nvd.nist.gov/vuln/detail/CVE-2026-21570

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-21570

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-21570

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-21570