Summary.

---

An OS command injection vulnerability (CVE-2026-21571) has been reported in Atlassian Bamboo Data Center and Server. the vulnerability provides an attack vector to remotely inject and execute commands, which could lead to system compromise and privilege escalation.

Affected Versions.

---

• Versions of Bamboo Data Center and Server ranging from 12.1.0 to 12.1.3 (LTS) are affected.
• Bamboo Data Center and Server versions ranging from 12.0.0 to 12.0.2 are affected.
• Versions of Bamboo Data Center and Server ranging from 11.0.0 to 11.0.8 are affected.
• Versions of Bamboo Data Center and Server ranging from 10.2.0 to 10.2.16 (LTS) are affected.
• Versions of Bamboo Data Center and Server ranging from 10.1.0 to 10.1.1 are affected.
• Versions of Bamboo Data Center and Server ranging from 10.0.0 to 10.0.3 are affected.
• Versions of Bamboo Data Center and Server ranging from 9.6.2 to 9.6.24 (LTS) are affected.

Vulnerability Details.

---

• the vulnerability type is OS command injection.
• threat actors may be able to execute arbitrary operating system commands through bypassing input validation.
• if successful, this could lead to security incidents such as remote command execution, data exfiltration, service disruption, and privilege escalation.

Resolution and Advisory.

---

• Atlassian has released a patch for the vulnerability and recommends upgrading to a version that includes the patch.
• the security post lists Bamboo Data Center 12.1.6 (LTS) and 10.2.18 (LTS) as the main versions patched.
• environments using the affected versions should check the latest security advisories and release notes to develop a patch plan.

Notes.

---

• original security post: Security Bulletin – April 21 2026.
• source: https://confluence.atlassian.com/security/security-bulletin-april-21-2026-1770913890.html.