Atlassian patches Bamboo RCE flaw that could let privileged users run code on build servers

Atlassian has fixed a high-severity remote code execution flaw in Bamboo Data Center and Server that could let an authenticated attacker run malicious code on the remote system. The vulnerability, tracked as CVE-2026-21570, carries a CVSS score of 8.6 and affects multiple Bamboo release lines used in enterprise build and release pipelines.

The immediate fix is to upgrade. Atlassian’s March 17, 2026 security bulletin lists Bamboo Data Center 12.1.3, 10.2.16, and 9.6.24 as the supported fixed versions, and the NVD entry repeats those same upgrade paths for customers who cannot jump straight to the latest release.

This matters because Bamboo often sits at the center of CI/CD workflows. A successful compromise of a build server can expose source code, secrets, artifacts, and deployment paths, while also creating a route for supply-chain abuse inside a development environment. That risk follows from Bamboo’s role as a build and release platform, which Atlassian positions as infrastructure for software delivery.

What Atlassian disclosed

Atlassian says CVE-2026-21570 is an RCE issue in Bamboo Data Center and Server. The vendor bulletin lists it as a high-severity vulnerability and ties it to affected Bamboo branches from 9.6 through 12.1. The NVD entry says the flaw allows an authenticated attacker to execute malicious code on the remote system.

The attack is not unauthenticated. The sample you shared correctly notes that exploitation requires privileges, and Atlassian’s CVSS 4.0 scoring shown by NVD reflects that with high privileges required and no user interaction required. In plain terms, this is not an internet worm-style bug, but it is still dangerous in environments where admin or highly privileged accounts are exposed, reused, or compromised.

Affected versions and fixed versions

Atlassian’s bulletin makes an important point here. Not every affected feature branch gets its own point fix. For unsupported or non-listed branches, the company tells customers to move to the latest version or to one of the supported fixed LTS versions.

Why this flaw matters for CI/CD

Bamboo is not just another web app in the stack. It often touches source repositories, build agents, credentials, deployment workflows, and release artifacts. That means remote code execution on the Bamboo host can turn into a much broader enterprise risk, especially if the server holds secrets or has trusted paths into production systems. This is an inference from Bamboo’s operational role, but it is a grounded one.

For security teams, the bigger issue is trust. Build platforms sit in a sensitive position inside software delivery chains. Even when a flaw requires elevated privileges, it can still become serious if an attacker first steals admin credentials, abuses a compromised SSO account, or pivots from another internal foothold.

What admins should do now

• Upgrade Bamboo 12.1 deployments to 12.1.3 or later.
• Upgrade Bamboo 10.2 deployments to 10.2.16 or later.
• Upgrade Bamboo 9.6 deployments to 9.6.24 or later.
• Move unsupported Bamboo branches to a supported fixed release.
• Review privileged Bamboo accounts and remove unnecessary admin access.
• Audit Bamboo servers for unusual command execution or unexpected admin actions.
• Review secrets, build plans, and deployment integrations tied to the Bamboo host.

Atlassian’s bulletin does not describe public exploitation, and I did not find an official claim that attackers are already abusing this flaw in the wild. That means the safest framing is that this is a serious patched vulnerability, not a confirmed active exploitation event.

Quick summary

FAQ