CVE-2026-21571
Summary
| CVE | CVE-2026-21571 |
|---|---|
| State | PUBLISHED |
| Assigner | atlassian |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-21 17:16:22 UTC |
| Updated | 2026-04-22 21:24:26 UTC |
| Description | This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an authenticated attacker to execute commands on the remote system, which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bamboo Data Center 9.6.0: Upgrade to a release greater than or equal to 9.6.25 Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.18 Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.6 See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]). |
Risk And Classification
Primary CVSS: v4.0 9.4 CRITICAL from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-78 | OS Command Injection | CWE-78 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 9.4 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/C... |
| 4.0 | CNA | DECLARED | 9.4 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
LowUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
HighSub Conf.
HighSub Integrity
HighSub Availability
HighCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Atlassian | Bamboo Data Center | affected 12.1.0 to 12.1.3 | Not specified |
| CNA | Atlassian | Bamboo Data Center | affected 12.0.0 to 12.0.2 | Not specified |
| CNA | Atlassian | Bamboo Data Center | affected 11.0.0 to 11.0.8 | Not specified |
| CNA | Atlassian | Bamboo Data Center | affected 10.2.0 to 10.2.16 | Not specified |
| CNA | Atlassian | Bamboo Data Center | affected 10.1.0 to 10.1.1 | Not specified |
| CNA | Atlassian | Bamboo Data Center | affected 10.0.0 to 10.0.3 | Not specified |
| CNA | Atlassian | Bamboo Data Center | affected 9.6.2 to 9.6.24 | Not specified |
| CNA | Atlassian | Bamboo Data Center | unaffected 12.1.6 | Not specified |
| CNA | Atlassian | Bamboo Data Center | unaffected 10.2.18 | Not specified |
| CNA | Atlassian | Bamboo Data Center | unaffected 9.6.25 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| jira.atlassian.com/browse/BAM-26364 | [email protected] | jira.atlassian.com | |
| confluence.atlassian.com/pages/viewpage.action | [email protected] | confluence.atlassian.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.