Atlassian patches critical Bamboo command injection flaw and high-severity Netty issue

Atlassian has disclosed two major security issues in Bamboo Data Center and Server, including a critical OS command injection vulnerability and a high-severity denial-of-service flaw tied to a bundled Netty dependency. The company says affected customers should upgrade as soon as possible to supported fixed releases.

The more serious issue, CVE-2026-21571, carries a CVSS score of 9.4 and affects multiple Bamboo release lines. Atlassian says the bug allows an authenticated attacker to execute commands on the remote system, which can have high impact on confidentiality, integrity, and availability.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

That detail matters because the flaw is severe, but it is not an unauthenticated internet bug based on Atlassian’s own wording. The advisory says the attacker needs low privileges, not no access at all. That still makes the issue dangerous in enterprise CI/CD environments where many users, agents, and integrations may already have Bamboo access.

What Atlassian says is affected

Atlassian’s April 21, 2026 security bulletin lists CVE-2026-21571 and CVE-2026-33871 for Bamboo Data Center and Server. The affected Bamboo versions are 12.1.0 to 12.1.3, 12.0.0 to 12.0.2, 11.0.0 to 11.0.8, 10.2.0 to 10.2.16, 10.1.0 to 10.1.1, 10.0.0 to 10.0.3, and 9.6.2 to 9.6.24.

For customers who cannot move to the latest feature release, Atlassian recommends patched LTS builds. The company lists Bamboo 12.1.6 and 10.2.18 as fixed versions in the bulletin, while the dedicated advisory for CVE-2026-21571 also names 9.6.25 as a supported fixed release for the 9.6 line.

That means some summaries of the bug miss an important point. The fixed-version guidance is slightly broader in the advisory than in the short bulletin table, so admins on older LTS branches should check the advisory and release notes, not just headlines.

The critical Bamboo flaw is command injection

Atlassian classifies CVE-2026-21571 as an OS command injection vulnerability in Bamboo Data Center. The company says the issue was introduced in several Bamboo branches, including 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0.

Because Bamboo sits at the center of automated builds, testing, and release workflows, command execution on the Bamboo host can create much wider risk than a normal application bug. A successful attacker could potentially reach stored secrets, tamper with pipelines, alter artifacts, or pivot deeper into development infrastructure. This is an inference based on Bamboo’s role and Atlassian’s high-impact assessment of the flaw.

Atlassian says the vulnerability came through its bug bounty process. The advisory does not say the flaw is under active exploitation, but the combination of critical severity and Bamboo’s position in enterprise software delivery makes fast patching the safest course.

The second issue comes from Netty’s HTTP/2 codec

The second disclosed issue, CVE-2026-33871, is a denial-of-service vulnerability in the io.netty:netty-codec-http2 dependency bundled with Bamboo. Atlassian rates it 8.7 High in the April bulletin.

Atlassian also adds an important qualifier. The bulletin says this is a vulnerability in a non-Atlassian dependency and that Bamboo’s specific use of that dependency presents a lower, non-critical assessed risk. That does not remove the need to patch, but it does mean the vendor sees the Netty issue as less urgent in Bamboo than the raw dependency score might suggest.

The practical impact still matters for teams that rely on Bamboo availability for builds and releases. Even a DoS bug can interrupt CI/CD operations, delay deployments, and affect developer workflows if attackers or testers can reach the vulnerable service. That operational impact is an inference from the nature of Bamboo and the published DoS classification.

Bamboo versions, CVEs, and fixes

The table reflects Atlassian’s advisory and April 2026 security bulletin.

What admins should do now

• Check the deployed Bamboo version against Atlassian’s affected-version list.
• Upgrade to a supported fixed release, preferably the latest available build or one of the listed LTS fixes.
• Give CVE-2026-21571 the highest priority because Atlassian classifies it as critical and says it enables remote command execution by an authenticated attacker.
• Restrict access to Bamboo interfaces and admin functions while patching, especially if the instance is broadly reachable inside the organization. This is a prudent mitigation based on the vulnerability’s authenticated nature, though Atlassian’s advisory centers on upgrading rather than a detailed workaround.
• Review release notes and the download archive directly before selecting the target version. Atlassian says the bulletin’s fixed versions are current as of publication and points admins to release notes for the most up-to-date information.

FAQ