Critical Atlassian Bamboo Data Center and Server Flaw Enables Command Injection Attacks

Atlassian has disclosed two significant security vulnerabilities affecting its Bamboo Data Center and Server product, including a critical OS command injection flaw and a high-severity denial-of-service issue tied to a third-party dependency. Organizations running affected versions are strongly urged to apply patches immediately.

Critical Command Injection Flaw (CVE-2026-21571)

The most severe of the two vulnerabilities, tracked as CVE-2026-21571, carries a CVSS score of 9.4 (Critical) and affects Bamboo Data Center and Server across multiple version branches.

Classified as an OS Command Injection vulnerability, this flaw could allow a remote attacker to execute arbitrary operating system commands on the underlying server, potentially leading to full system compromise, lateral movement across networks, or sensitive data exfiltration.

The vulnerability impacts the following Bamboo versions:

• 12.1.0 to 12.1.3 (LTS)
• 12.0.0 to 12.0.2
• 11.0.0 to 11.0.8
• 10.2.0 to 10.2.16 (LTS)
• 10.1.0 to 10.1.1
• 10.0.0 to 10.0.3
• 9.6.2 to 9.6.24 (LTS)

Atlassian recommends upgrading to 12.1.6 (LTS) for Data Center deployments or 10.2.18 (LTS) as an alternative patched release.

High-Severity DoS Via Netty Dependency (CVE-2026-33871)

The second vulnerability, CVE-2026-33871, scores 8.7 (High) and stems from a denial-of-service weakness in the third-party io.netty:netty-codec-http2 library bundled with Bamboo.

An attacker exploiting this flaw could overwhelm the server’s HTTP/2 processing, causing service disruption and degraded availability for CI/CD pipelines relying on Bamboo.

Atlassian clarified that while the underlying dependency carries an inherently higher risk rating in isolation, their specific application of the library presents a lower, non-critical assessed risk, though patching remains strongly advised.

Bamboo is a widely deployed CI/CD automation server used in enterprise software development pipelines, making it an attractive target for threat actors seeking to infiltrate development supply chains or inject malicious code into build processes.

Command injection vulnerabilities in such environments are particularly dangerous, as they can enable attackers to tamper with build artifacts or harvest credentials stored within pipeline configurations.

Atlassian has made fixed versions available through its official download archives. Administrators should audit currently deployed Bamboo versions against the affected ranges and prioritize upgrading to the recommended LTS releases without delay.

Network-level restrictions on Bamboo’s administrative interfaces can serve as a temporary mitigation while patches are applied.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Atlassian Bamboo Data Center and Server Flaw Enables Command Injection Attacks appeared first on Cyber Security News.