Critical OS Command Injection Flaw in Atlassian Bamboo Puts CI/CD Pipelines at Risk Atlassian disclosed a critical security vulnerability (CVE-2026-21571) in Bamboo Data Center and Server, allowing remote attackers to execute arbitrary operating system commands. The flaw, assigned a CVSS score of 9.4, was published on April 21, 2026, as part of Atlassian’s monthly Security Bulletin. The vulnerability affects multiple versions of Bamboo, including 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0. It stems from a third-party dependency but remains classified as critical due to its potential impact. Exploitation requires low-level authentication and no user interaction, making it a high-risk threat for enterprise environments. Successful attacks could enable threat actors to inject malicious code into CI/CD pipelines, compromising software supply chains, accessing sensitive data, or disrupting system operations. Given Bamboo’s role in automating build and deployment workflows, unpatched systems pose a significant risk to development environments. Atlassian has released patched versions (12.1.6 (LTS), 10.2.18 (LTS), and 9.6.25) to mitigate the flaw. Organizations unable to upgrade immediately are advised to review Atlassian’s Vulnerability Disclosure Portal for mitigation steps, including monitoring authentication logs and auditing CI/CD pipelines for unauthorized changes. The April 2026 Security Bulletin also addressed 37 additional vulnerabilities, including a CVSS 10.0 cross-site scripting flaw and a remote code execution issue in other Atlassian products like Jira, Confluence, and Bitbucket.

Critical Stored XSS Vulnerability in Atlassian Jira Enables Full Organization Takeover Security researchers at SnapSec recently disclosed a severe stored Cross-Site Scripting (XSS) vulnerability in Atlassian’s Jira Work Management, a widely used platform for project tracking and task management. The flaw, stemming from inadequate input validation in a low-risk settings menu, allows attackers with limited administrative permissions to execute a full organization takeover. ### Vulnerability Details The issue resides in Jira’s custom priority settings, where administrators can define task importance levels (e.g., high, medium, low). While editing these priorities, users can specify an Icon URL a field that, if manipulated, could inject malicious JavaScript. Researchers demonstrated that a Product Admin a role with restricted but sufficient permissions could embed a payload in the URL (e.g., `https://google.com?name=</script><script>alert(0)</script>`). Due to missing backend validation and output encoding, the script was stored in the database and executed when a Super Admin accessed the priorities configuration page. ### Exploitation & Impact The attack leverages stored XSS, meaning no victim interaction (e.g., clicking a link) is required. Once a Super Admin loads the compromised page, the malicious script executes in their browser, operating within a highly privileged administrative context. In SnapSec’s proof-of-concept, the payload silently sent a system invitation to an attacker-controlled account, granting them full access to Jira, Confluence, and other Atlassian products. This enabled unauthorized project creation, modification, and deletion effectively seizing control of the entire organization. ### Key Takeaways - The vulnerability exposes a critical gap in input validation, even in mature enterprise platforms. - Partially privileged roles (e.g., Product Admins) can escalate to full administrative control if access controls are not rigorously audited. - The incident underscores the need for strict backend validation and output encoding across all configuration panels, regardless of perceived risk. Atlassian has since addressed the flaw, but the discovery serves as a reminder that overlooked administrative features can become high-impact attack vectors.

Atlassian Patches High-Severity RCE Vulnerability in Bamboo Data Center Atlassian has addressed a high-severity remote code execution (RCE) vulnerability, CVE-2026-21570, affecting its Bamboo Data Center application. The flaw, discovered internally through Atlassian’s security auditing program, poses significant risks to enterprise CI/CD environments, where Bamboo serves as a critical hub for automated builds, testing, and deployment. With a CVSS 4.0 score of 8.6, the vulnerability allows authenticated attackers with elevated privileges to execute arbitrary code remotely on affected servers. Exploitation could lead to full system compromise, enabling threat actors to manipulate source code, exfiltrate sensitive build secrets, or disrupt software development operations potentially facilitating devastating supply chain attacks. The flaw impacts multiple Bamboo Data Center versions, including: - 9.6.x (9.6.0–9.6.23) - 10.0.0, 10.1.0, 10.2.0 - 11.0.0, 11.1.0 - 12.x (12.0.0–12.1.2) Atlassian has released patches to mitigate the issue, urging administrators to upgrade immediately: - 9.6.x → 9.6.24 or later - 10.2.x → 10.2.16 - 12.1.x → 12.1.3 or later Patched versions are available via the Atlassian download center. Organizations running affected deployments are advised to apply updates to secure their build infrastructure.

ShinyHunters-Linked Cybercrime Campaign Targets Over 100 Major Organizations A recent cybercrime campaign attributed to the ShinyHunters group has targeted at least 100 organizations across multiple sectors, including software, finance, healthcare, and energy, according to cybersecurity firm Silent Push. Over the past 30 days, threat actors registered fake domains impersonating high-profile companies such as Atlassian, Adyen, Canva, Epic Games, HubSpot, Moderna, ZoomInfo, GameStop, WeWork, Halliburton, Sonos, and Telstra. The attackers employed voice phishing (vishing) tactics to compromise single sign-on (SSO) accounts, particularly those using Okta and other identity platforms. Using specialized phishing kits, they intercepted credentials and manipulated victims into bypassing multi-factor authentication (MFA) by convincing them to approve push notifications or submit one-time passcodes (OTPs). Okta described the attacks as involving real-time session orchestration, where threat actors guided victims through the authentication process via verbal instructions. While Silent Push identified the infrastructure used in the campaign, it remains unclear whether the attacks successfully breached any systems. However, ShinyHunters has claimed responsibility for data breaches at companies like Betterment, Crunchbase, and SoundCloud, all of which confirmed incidents. The group allegedly stole millions of records from these organizations as part of the Okta SSO vishing campaign. Silent Push attributes the campaign to Scattered LAPSUS$ Hunters, a collective formed last year by members of Lapsus$, Scattered Spider, and ShinyHunters, based on observed tactics, techniques, and procedures (TTPs). The incident follows recent warnings from Google and others about rising vishing and phishing attacks targeting identity platforms.

Atlassian Confluence Data Center and Server versions were affected by a critical vulnerability identified as CVE-2023-22527, enabling threat actors to exploit the flaw for cryptomining campaigns. Due to the template injection vulnerability, remote attackers could execute arbitrary code, leading to unauthorized cryptocurrency mining using the organization's resources. This activity not only utilized the compromised infrastructure for mining but also had the potential to disrupt operations and financials through resource exhaustion and increase in operational costs. Atlassian released patches to address the issue, however, systems not updated remained at risk.

Atlassian reveals a data leak that was brought on by the theft of employee login information that was then utilized to obtain data from a third-party vendor. More than 13,200 entries make up the employee file that was uploaded online, and a brief inspection of the file suggests that it contains data on many current employees, including names, email addresses, work departments, and other details. The threat actors obtained information from a third-party vendor using the employee login credentials they had stolen. The business emphasized that the event had no impact on consumer or network data. The business acknowledged the data breach and disclosed that Envoy, a startup that offers workplace management services to the Australian software giant, was the source of the leaked data.

Atlassian warned its customers that multiple threat groups are exploiting a Confluence Server zero-day vulnerability in its servers. Any unauthenticated attackers can target its Confluence Server and Data Center by a critical vulnerability that can be exploited for remote code execution. The company advised its users have been advised to prevent access to their Confluence servers from the internet, or simply disable these instances, as all supported versions of Confluence Server and Data Center are affected. However, Atlassian expects fixes to become available soon.

Atlassian discovered a vulnerability in its Confluence Server which they need to patch to remedy a Critical-rated flaw. Confluence Server Webwork OGNL injection vulnerability could allow an authenticated user, or unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. However, Atlassian's own Confluence Cloud was patched but other hosted Confluence offerings might be vulnerable.

Atlassian revealed that unidentified hackers gained access to a vast quantity of data from its group chat service HipChat by breaking into a cloud server owned by the business. Although Atlassian did not disclose the identity of the prominent third-party software library that was utilised by its HipChat.com service, the business claims that attackers took advantage of a weakness in the library. The business issued instructions on how to reset passwords to all users whose accounts were connected to HipChat and, as a precaution, invalidated the passwords on those accounts. The organisation claims that although hashed passwords, email addresses, and names were accessible to hackers, no financial information was revealed.