{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21570", "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "state": "PUBLISHED", "assignerShortName": "atlassian", "dateReserved": "2026-01-01T00:00:40.720Z", "datePublished": "2026-03-17T18:00:00.907Z", "dateUpdated": "2026-03-17T18:21:46.118Z"}, "containers": {"cna": {"affected": [{"vendor": "Atlassian", "product": "Bamboo Data Center", "versions": [{"version": "12.1.0 to 12.1.2", "status": "affected"}, {"version": "12.0.0 to 12.0.2", "status": "affected"}, {"version": "11.0.0 to 11.0.8", "status": "affected"}, {"version": "10.2.0 to 10.2.15", "status": "affected"}, {"version": "10.1.0 to 10.1.1", "status": "affected"}, {"version": "10.0.0 to 10.0.3", "status": "affected"}, {"version": "9.6.1 to 9.6.23", "status": "affected"}, {"version": "12.1.3", "status": "unaffected"}, {"version": "10.2.16", "status": "unaffected"}, {"version": "9.6.24", "status": "unaffected"}]}], "descriptions": [{"lang": "en", "value": "This High severity RCE (Remote Code Execution)\u00a0 vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.6, allows an authenticated attacker to execute malicious code on the remote system.\r\n\r\nAtlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Bamboo Data Center 9.6: Upgrade to a release greater than or equal to 9.6.24\r\n\r\n Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.16\r\n\r\n Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.3\r\n\r\nSee the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).\r\n\r\nThis vulnerability was reported via our Atlassian (Internal) program."}], "problemTypes": [{"descriptions": [{"description": "RCE (Remote Code Execution)", "lang": "en", "type": "RCE (Remote Code Execution)"}]}], "references": [{"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1721271371"}, {"url": "https://jira.atlassian.com/browse/BAM-26342"}], "metrics": [{"cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "baseScore": 8.6, "baseSeverity": "HIGH"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:data_center:*:*:*", "versionStartIncluding": "9.6.1", "versionEndIncluding": "9.6.23", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.6:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.7:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.8:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.9:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.10:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.11:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.12:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.13:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.14:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.15:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.16:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.17:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.18:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.19:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.20:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.21:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.22:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.23:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.24:*:*:*:data_center:*:*:*", "vulnerable": false}]}]}], "providerMetadata": {"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian", "dateUpdated": "2026-03-17T18:00:00.907Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T18:21:29.754925Z", "id": "CVE-2026-21570", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T18:21:46.118Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21570", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-17T18:21:29.754925Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T18:21:21.946Z"}}], "cna": {"metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "affected": [{"vendor": "Atlassian", "product": "Bamboo Data Center", "versions": [{"status": "affected", "version": "12.1.0 to 12.1.2"}, {"status": "affected", "version": "12.0.0 to 12.0.2"}, {"status": "affected", "version": "11.0.0 to 11.0.8"}, {"status": "affected", "version": "10.2.0 to 10.2.15"}, {"status": "affected", "version": "10.1.0 to 10.1.1"}, {"status": "affected", "version": "10.0.0 to 10.0.3"}, {"status": "affected", "version": "9.6.1 to 9.6.23"}, {"status": "unaffected", "version": "12.1.3"}, {"status": "unaffected", "version": "10.2.16"}, {"status": "unaffected", "version": "9.6.24"}]}], "references": [{"url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1721271371"}, {"url": "https://jira.atlassian.com/browse/BAM-26342"}], "descriptions": [{"lang": "en", "value": "This High severity RCE (Remote Code Execution)\u00a0 vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.6, allows an authenticated attacker to execute malicious code on the remote system.\r\n\r\nAtlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Bamboo Data Center 9.6: Upgrade to a release greater than or equal to 9.6.24\r\n\r\n Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.16\r\n\r\n Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.3\r\n\r\nSee the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).\r\n\r\nThis vulnerability was reported via our Atlassian (Internal) program."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "RCE (Remote Code Execution)", "description": "RCE (Remote Code Execution)"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:data_center:*:*:*", "vulnerable": true, "versionEndIncluding": "9.6.23", "versionStartIncluding": "9.6.1"}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.6:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.7:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.8:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.9:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.10:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.11:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.12:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.13:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.14:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.15:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.16:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.17:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.18:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.19:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.20:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.21:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.22:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.23:*:*:*:data_center:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:bamboo:9.6.24:*:*:*:data_center:*:*:*", "vulnerable": false}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian", "dateUpdated": "2026-03-17T18:00:00.907Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21570", "state": "PUBLISHED", "dateUpdated": "2026-03-17T18:21:46.118Z", "dateReserved": "2026-01-01T00:00:40.720Z", "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "datePublished": "2026-03-17T18:00:00.907Z", "assignerShortName": "atlassian"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "This High severity RCE (Remote Code Execution)\u00a0 vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center.\r\n\r\nThis RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.6, allows an authenticated attacker to execute malicious code on the remote system.\r\n\r\nAtlassian recommends that Bamboo Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:\r\n Bamboo Data Center 9.6: Upgrade to a release greater than or equal to 9.6.24\r\n\r\n Bamboo Data Center 10.2: Upgrade to a release greater than or equal to 10.2.16\r\n\r\n Bamboo Data Center 12.1: Upgrade to a release greater than or equal to 12.1.3\r\n\r\nSee the release notes ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). You can download the latest version of Bamboo Data Center from the download center ([https://www.atlassian.com/software/bamboo/download-archives]).\r\n\r\nThis vulnerability was reported via our Atlassian (Internal) program."}, {"lang": "es", "value": "Esta vulnerabilidad RCE (ejecuci\u00f3n remota de c\u00f3digo) de alta gravedad fue introducida en las versiones 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0 y 12.1.0 de Bamboo Data Center.\n\nEsta vulnerabilidad RCE (ejecuci\u00f3n remota de c\u00f3digo), con una puntuaci\u00f3n CVSS de 8.6, permite a un atacante autenticado ejecutar c\u00f3digo malicioso en el sistema remoto.\n\nAtlassian recomienda que los clientes de Bamboo Data Center actualicen a la \u00faltima versi\u00f3n; si no puede hacerlo, actualice su instancia a una de las versiones fijas compatibles especificadas:\n Bamboo Data Center 9.6: Actualice a una versi\u00f3n mayor o igual a 9.6.24\n\n Bamboo Data Center 10.2: Actualice a una versi\u00f3n mayor o igual a 10.2.16\n\n Bamboo Data Center 12.1: Actualice a una versi\u00f3n mayor o igual a 12.1.3\n\nConsulte las notas de la versi\u00f3n ([https://confluence.atlassian.com/bambooreleases/bamboo-release-notes-1189793869.html]). Puede descargar la \u00faltima versi\u00f3n de Bamboo Data Center desde el centro de descargas ([https://www.atlassian.com/software/bamboo/download-archives]).\n\nEsta vulnerabilidad fue reportada a trav\u00e9s de nuestro programa Atlassian (Interno)."}], "id": "CVE-2026-21570", "lastModified": "2026-03-18T14:52:44.227", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@atlassian.com", "type": "Secondary"}]}, "published": "2026-03-17T18:16:14.870", "references": [{"source": "security@atlassian.com", "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1721271371"}, {"source": "security@atlassian.com", "url": "https://jira.atlassian.com/browse/BAM-26342"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.1.0,12.1.2]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.0.0,12.0.2]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0,11.0.8]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.2.0,10.2.15]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.1.0,10.1.1]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.0.0,10.0.3]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.6.1,9.6.23]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "12.1.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "10.2.16"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "9.6.24"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Bamboo Data Center", "source": "cna", "vendor": "Atlassian"}, "product": "bamboo", "vendor": "atlassian"}], "analysis": {"en": {"generated_at": "2026-03-17T21:23:09.928410+00:00", "value": {"mitigation_remediation": ["Upgrade Atlassian Bamboo Data Center to the fixed release recommended by Atlassian (9.6.24 or later for 9.6.x, 10.2.16 or later for 10.2.x, or 12.1.3 or later for 12.1.x).", "Verify that the upgraded instance reports the expected version number and that no additional vulnerable components remain."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected systems are Atlassian Bamboo Data Center across multiple major releases. The flaw exists in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0. Atlassian recommends upgrading to the latest overall release, or for the specified lines, to 9.6.24 or newer, 10.2.16 or newer, or 12.1.3 or newer respectively.", "description_and_impact": "This vulnerability is a high\u2011severity Remote Code Execution flaw identified in Atlassian Bamboo Data Center. According to the vendor description, an attacker who can authenticate to the instance can execute arbitrary code on the server. The weakness is classified as CWE\u201194, which describes unsafe evaluation of code. Successful exploitation would compromise the integrity and confidentiality of the host and any dependent services, effectively giving the attacker full control of the system.", "risk_and_exploitability": "The CVSS score is 8.6, indicating a high severity vulnerability. No EPSS score is provided, and the issue is not listed in the CISA KEV catalog. Exploitation requires valid Bamboo credentials or some form of authentication. Once authenticated, the attacker can run arbitrary code on the host. The combination of a high severity score and the authentication requirement signals a significant risk for impacted organizations."}}}}, "created": "2026-03-18T12:13:03.389439+00:00", "updated": "2026-03-24T10:48:58.045627+00:00", "vendors": ["atlassian", "atlassian$PRODUCT$bamboo"]}