CVE-2026-21571

Medienbericht

EPSS 1.27%
Veröffentlicht 21.04.2026 17:16:22
Zuletzt bearbeitet 22.04.2026 21:24:26
Quelle security@atlassian.com
CVE-Watchlists
Login
Unerledigt
Login

This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0,
11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center.
 
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an authenticated attacker to execute commands
on the remote system, which has high impact to confidentiality, high impact to integrity, high impact to availability,
and requires no user interaction.
 
Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade
your instance to one of the specified supported fixed versions:
 Bamboo Data Center 9.6.0: Upgrade to a release greater than or equal to 9.6.25
 Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.18 
 Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.6

See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerAtlassian

≫

Produkt Bamboo Data Center

Version 12.1.0 to 12.1.3

Status affected

Version 12.0.0 to 12.0.2

Status affected

Version 11.0.0 to 11.0.8

Status affected

Version 10.2.0 to 10.2.16

Status affected

Version 10.1.0 to 10.1.1

Status affected

Version 10.0.0 to 10.0.3

Status affected

Version 9.6.2 to 9.6.24

Status affected

Version 12.1.6

Status unaffected

Version 10.2.18

Status unaffected

Version 9.6.25

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.27%	0.66

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@atlassian.com	9.4	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

27.04.2026 17:36

https://confluence.atlassian.com/pages/viewpage.action?pageId=1770913890

https://jira.atlassian.com/browse/BAM-26364

https://nvd.nist.gov/vuln/detail/CVE-2026-21571

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-21571

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-21571

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-21571