
PEACH
Un cadre d’isolation des locataires
CVE-2026-21571 is a Critical severity OS Command Injection vulnerability in Atlassian Bamboo Data Center that allows authenticated remote attackers to execute arbitrary OS commands on affected systems. The vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. It was disclosed and patched on April 21, 2026, as part of Atlassian's monthly security bulletin. The vulnerability carries a CVSS v4.0 base score of 9.4 (Critical) (Atlassian Advisory, Github Advisory).
The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning Bamboo Data Center fails to properly sanitize user-supplied input before incorporating it into OS-level commands. An authenticated attacker can exploit this over the network with low attack complexity and no special attack requirements or user interaction, making it straightforward to weaponize with valid credentials. Atlassian notes this is a vulnerability in a non-Atlassian dependency used by Bamboo Data Center, though the application's use of the dependency presents a critical assessed risk in this context (Atlassian Advisory, Github Advisory). No public proof-of-concept exploit code has been identified at this time (Github Advisory).
Successful exploitation allows an authenticated attacker to execute arbitrary OS commands on the Bamboo Data Center host, resulting in high impact to confidentiality, integrity, and availability of both the vulnerable system and subsequent systems. An attacker could exfiltrate sensitive CI/CD pipeline data, credentials, and source code; modify build configurations or artifacts; or disrupt build and deployment operations entirely. Given Bamboo's role as a CI/CD orchestration platform, compromise could facilitate lateral movement into connected development infrastructure, code repositories, and deployment targets (Atlassian Advisory, Github Advisory).
;, &&, |, backticks) embedded in the vulnerable parameter to append or replace the intended OS command.;, &&, |, backticks) in parameter values; authentication events from unfamiliar accounts or IP addresses./bin/sh, /bin/bash, cmd.exe, curl, wget, python, nc) indicating OS command execution.Atlassian recommends upgrading Bamboo Data Center to the latest available version. Specific minimum fixed versions are: 9.6.25 or later for the 9.6.x LTS branch, 10.2.18 or later for the 10.2.x LTS branch, and 12.1.6 or later for the 12.1.x LTS branch. Versions in the 10.0.x, 10.1.x, 11.0.x, 11.1.x, and 12.0.x branches should be upgraded to a supported LTS fixed version. As an interim measure, restrict Bamboo Data Center access to trusted, authenticated users only and limit network exposure until patching is complete (Atlassian Advisory, Github Advisory).
The vulnerability received coverage from multiple security news outlets including SecurityOnline, CyberSecurityNews, GBHackers, Security Boulevard, and The Hacker News (in their weekly recap), highlighting the critical risk to CI/CD pipelines (SecurityOnline, The Hacker News). Community commentary emphasized the elevated risk posed by command injection in CI/CD infrastructure, given the potential for supply chain compromise. Atlassian issued the patch as part of its April 21, 2026 monthly security bulletin, which also addressed 31 high-severity and 6 other critical-severity vulnerabilities across its product suite (Atlassian Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."