Security patches: Malicious code attacks on Atlassian Bamboo possible

Atlassian Bamboo Data Center and Server, Bitbucket Data Center and Server, Confluence Data Center and Server, Fisheye/Crucible, Jira Data Center and Server, and Jira Service Management Data Center and Server are vulnerable. In current versions, developers have closed, among other things, DoS and malicious code security vulnerabilities.

Install security patches

Even though there are currently no indications of ongoing attacks from the software manufacturer, administrators should update their Atlassian applications to the current version promptly. If this is not done, attackers can, for example, attack Bamboo Data Center and Server with malicious code (CVE-2026-21570 “high”) or disable Jira Data Center and Server via DoS attack (CVE-2022-25927 “high”). Furthermore, unauthorized file access is possible with Jira Service Management Data Center and Server (CVE-2026-23950 “high”). Further information on the closed vulnerabilities can be found in the security section of the Atlassian website.

The following versions are protected against the described attacks:

• Bamboo Data Center and Server 12.1.3 (LTS) recommended Data Center Only, 10.2.16 (LTS) Data Center Only, 9.6.24 (LTS) Data Center Only
• Bitbucket Data Center and Server 10.2.0 to 10.2.1 (LTS) recommended Data Center Only, 10.1.5 Data Center Only, 9.4.17 to 9.4.18 (LTS) Data Center Only
• Confluence Data Center and Server 10.2.7 (LTS) recommended Data Center Only, 9.2.15 to 9.2.17 (LTS) Data Center Only, 9.0.2 to 9.0.3 Data Center Only
• Crowd Data Center and Server 7.1.5 recommended Data Center Only, 6.3.5 Data Center Only
• Fisheye/Crucible 4.9.8 recommended
• Jira Data Center and Server 11.3.3 (LTS) recommended Data Center Only, 10.3.18 (LTS) Data Center Only
• Jira Service Management Data Center and Server 11.3.3 (LTS) recommended Data Center Only, 10.3.18 (LTS) Data Center Only

(des)