OS Command Injection Vulnerability in Bamboo Data Center by Atlassian
CVE-2026-21571

9.4CRITICAL

Key Information:

Vendor: Atlassian
Status: Bamboo Data Center
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-21571?

A significant OS Command Injection vulnerability in Bamboo Data Center allows authenticated attackers to execute arbitrary commands on the server. This issue, present in several versions including 9.6.0 and 12.1.0, poses substantial risks to confidentiality, integrity, and availability of data without requiring user interaction. To mitigate this vulnerability, Atlassian advises users to upgrade to the latest version or to specific fixed versions. For more information on updates and security practices, refer to the release notes and download center.

Affected Version(s)

Bamboo Data Center 12.1.0 to 12.1.3

Bamboo Data Center 12.0.0 to 12.0.2

Bamboo Data Center 11.0.0 to 11.0.8

References

https://confluence.atlassian.com/pages/viewpage.action?pa...

https://jira.atlassian.com/browse/BAM-26364

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Jan 1, 2026

CVE-2026-21571 Data

JSON