{"api_version":"1","generated_at":"2026-04-23T04:11:45+00:00","cve":"CVE-2022-26133","urls":{"html":"https://cve.report/CVE-2022-26133","api":"https://cve.report/api/cve/CVE-2022-26133.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-26133","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-26133"},"summary":{"title":"CVE-2022-26133","description":"SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.","state":"PUBLIC","assigner":"security@atlassian.com","published_at":"2022-04-20 19:15:00","updated_at":"2022-04-28 17:50:00"},"problem_types":["CWE-502"],"metrics":[],"references":[{"url":"https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html","name":"https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html","refsource":"MISC","tags":[],"title":"Multiple Products Security Advisory - Hazelcast Vulnerable To Remote Code Execution - CVE-2016-10750, CVE-2022-26133 | Atlassian Support | Atlassian Documentation","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://jira.atlassian.com/browse/BSERV-13173","name":"https://jira.atlassian.com/browse/BSERV-13173","refsource":"MISC","tags":[],"title":"[BSERV-13173] Bitbucket Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2022-26133 - Create and track feature requests for Atlassian products.","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-26133","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26133","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"bitbucket_data_center","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"26133","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"bitbucket_data_center","cpe6":"7.20.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-26133","qid":"376867","title":"Atlassian Bitbucket Data Center Remote Code Execution (RCE) Vulnerability (BSERV-13173) (Authenticated Check)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@atlassian.com","DATE_PUBLIC":"2022-03-24T23:00:00","ID":"CVE-2022-26133","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Bitbucket Data Center","version":{"version_data":[{"version_value":"5.14.0","version_affected":">="},{"version_value":"7.6.14","version_affected":"<"},{"version_value":"7.7.0","version_affected":">="},{"version_value":"7.17.6","version_affected":"<"},{"version_value":"7.18.0","version_affected":">="},{"version_value":"7.18.4","version_affected":"<"},{"version_value":"7.19.0","version_affected":">="},{"version_value":"7.19.4","version_affected":"<"},{"version_value":"7.20.0","version_affected":"="}]}}]},"vendor_name":"Atlassian"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Deserialization of untrusted data"}]}]},"references":{"reference_data":[{"url":"https://jira.atlassian.com/browse/BSERV-13173","refsource":"MISC","name":"https://jira.atlassian.com/browse/BSERV-13173"},{"url":"https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html","refsource":"MISC","name":"https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html"}]}},"nvd":{"publishedDate":"2022-04-20 19:15:00","lastModifiedDate":"2022-04-28 17:50:00","problem_types":["CWE-502"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14.0","versionEndExcluding":"7.6.14","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*","versionStartIncluding":"7.7.0","versionEndExcluding":"7.17.6","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*","versionStartIncluding":"7.18.0","versionEndExcluding":"7.18.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:bitbucket_data_center:*:*:*:*:*:*:*:*","versionStartIncluding":"7.19.0","versionEndExcluding":"7.19.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:bitbucket_data_center:7.20.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}