Description
This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0,
11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center.
 
This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an authenticated attacker to execute commands
on the remote system, which has high impact to confidentiality, high impact to integrity, high impact to availability,
and requires no user interaction.
 
Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade
your instance to one of the specified supported fixed versions:
Bamboo Data Center 9.6.0: Upgrade to a release greater than or equal to 9.6.25
Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.18 
Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.6

See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
Published: 2026-04-21
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an OS Command Injection flaw that allows an authenticated attacker to execute arbitrary commands on a Bamboo Data Center server. The flaw provides complete compromise of confidentiality, integrity, and availability, and requires no user interaction. According to the CVSS vector, the attack can be performed over a network with low attack complexity and low required privileges.

Affected Systems

The issue affects Atlassian Bamboo Data Center running any of the following versions released before the indicated fixes: 9.6.0 through 9.6.24, the earlier 10.x releases up to 10.2.17, and the earlier 12.x releases up to 12.1.5. Atlassian recommends upgrading to Bamboo Data Center 9.6.25 or later, 10.2.18 or later, or 12.1.6 or later to eliminate the vulnerability.

Risk and Exploitability

With a CVSS score of 9.4 and an EPSS score that is not available, the risk remains high. The flaw is listed as not part of the CISA KEV catalogue. Because the vulnerability can be exploited by anyone who can authenticate to the Bamboo service, a compromised or malicious user can gain full control over the underlying host. The lack of user interaction and the low attack complexity mean that a determined attacker can quickly achieve full system compromise.

Generated by OpenCVE AI on April 21, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify whether your Bamboo Data Center instance is running one of the vulnerable versions listed above.
  • Upgrade the instance to a supported fixed release (9.6.25 or newer, 10.2.18 or newer, or 12.1.6 or newer).
  • Apply network segmentation or firewall rules to limit external access to the Bamboo servers until the upgrade is complete.

Generated by OpenCVE AI on April 21, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Title Critical OS Command Injection in Atlassian Bamboo Data Center Enabling Remote Code Execution
Weaknesses CWE-78
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center.   This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an authenticated attacker to execute commands on the remote system, which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.   Atlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Bamboo Data Center 9.6.0: Upgrade to a release greater than or equal to 9.6.25 Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.18  Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.6 See the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).
First Time appeared Atlassian
Atlassian bamboo
CPEs cpe:2.3:a:atlassian:bamboo:*:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.10:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.11:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.12:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.13:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.14:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.15:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.16:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.17:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.18:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.19:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.20:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.21:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.22:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.23:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.24:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.25:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.6:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.7:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.8:*:*:*:data_center:*:*:*
cpe:2.3:a:atlassian:bamboo:9.6.9:*:*:*:data_center:*:*:*
Vendors & Products Atlassian
Atlassian bamboo
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Atlassian Bamboo
cve-icon MITRE

Status: PUBLISHED

Assigner: atlassian

Published:

Updated: 2026-04-21T17:24:23.557Z

Reserved: 2026-01-01T00:00:40.720Z

Link: CVE-2026-21571

cve-icon Vulnrichment

Updated: 2026-04-21T17:24:15.742Z

cve-icon NVD

Status : Received

Published: 2026-04-21T17:16:22.950

Modified: 2026-04-21T18:16:21.483

Link: CVE-2026-21571

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses