
PEACH
Un cadre d’isolation des locataires
CVE-2026-21570 is a Remote Code Execution (RCE) vulnerability in Atlassian Bamboo Data Center, classified as High severity with a CVSS v4.0 score of 8.6. It was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center, affecting all releases up to the fixed versions. The vulnerability was disclosed on March 17, 2026, as part of Atlassian's monthly Security Bulletin, and was reported through Atlassian's internal bug bounty program (Atlassian Advisory, ENISA EUVD).
The vulnerability is classified under CWE-94 (Improper Control of Generation of Code / 'Code Injection'), indicating that user-controlled input is improperly handled and can be used to inject and execute arbitrary code on the server (ENISA EUVD). Exploitation requires network access and high privileges (authenticated attacker), with no user interaction needed and low attack complexity, meaning a privileged user can directly trigger the vulnerability without special conditions (Atlassian Advisory). No public technical write-up or proof-of-concept code has been identified at this time (Feedly).
Successful exploitation allows an authenticated attacker to execute arbitrary malicious code on the remote Bamboo Data Center system with the privileges of the application process, resulting in high impacts to confidentiality, integrity, and availability of the affected system (Atlassian Advisory). Given Bamboo's role as a CI/CD automation server, a compromised instance could expose build secrets, source code, deployment credentials, and pipeline configurations, potentially enabling lateral movement into connected infrastructure (GBHackers, CyberSecurityNews).
Atlassian recommends upgrading Bamboo Data Center to one of the following fixed versions: 9.6.24 (for the 9.6.x LTS branch), 10.2.16 (for the 10.2.x LTS branch), or 12.1.3 (for the 12.1.x LTS branch) (Atlassian Advisory). Upgrading to the latest available version is the preferred remediation. If immediate patching is not feasible, organizations should restrict access to Bamboo Data Center to trusted, authenticated users only and monitor for suspicious activity. No specific configuration-based workaround has been published by Atlassian.
The vulnerability received coverage from several security news outlets including GBHackers, CyberSecurityNews, SecurityOnline, and Heise (German-language tech media), highlighting the risk to CI/CD pipeline infrastructure (GBHackers, Heise). The vulnerability was also mentioned in The Hacker News weekly recap for the week of March 17, 2026 (The Hacker News). Community reaction has been moderate, with emphasis on the importance of patching given Bamboo's privileged position in software delivery pipelines.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."