What did Atlassian's April 2026 Security Bulletin address?

Atlassian's April 2026 Security Bulletin, published on April 21, 2026, addressed a total of 38 vulnerabilities across its Data Center and Server product lines, including 31 high-severity flaws and 7 critical-severity third-party vulnerabilities. The bulletin impacts Bamboo, Bitbucket, Confluence, Jira, and Jira Service Management.

What are the most critical vulnerabilities disclosed in the bulletin?

The most critical vulnerabilities include CVE-2026-21571 (CVSS 9.4), an OS command injection flaw in Bamboo; CVE-2024-47875 (CVSS 10.0), a mutation Cross-Site Scripting flaw in the dompurify dependency affecting Jira Software and Jira Service Management; CVE-2022-1471 (CVSS 9.8), a Remote Code Execution flaw in the snakeyaml dependency affecting Confluence, Jira Software, and Jira Service Management; CVE-2021-31597 (CVSS 9.4), a Man-in-the-Middle flaw in the xmlhttprequest dependency in Jira Service Management; and CVE-2026-25547 (CVSS 9.2), a Denial of Service flaw in the brace-expansion dependency in Jira Software.

Which product versions are affected?

Affected versions span a broad range across all five products. Bamboo versions 9.6.2 through 12.1.3 are affected; Bitbucket versions 9.4.12 through 10.1.5; Confluence versions 8.9.1 through 10.2.7; and Jira and Jira Service Management releases up through 11.3.3.

What are the recommended fixed versions?

Atlassian recommends administrators upgrade to the latest Long-Term Support versions: Bamboo 12.1.6 (LTS) and 10.2.18 (LTS), Bitbucket 10.2.2 (LTS) and 9.4.19 (LTS), Confluence 10.2.10 (LTS) and 9.2.19 (LTS), and Jira/Jira Service Management 11.3.4 (LTS) and 10.3.19 (LTS) for Data Center deployments.

Do Atlassian Cloud customers need to take action?

No, Atlassian Cloud customers do not need to take action, as those environments are patched automatically by Atlassian. However, organizations running self-hosted Atlassian deployments should prioritize patching, as these dependency flaws cover remote code execution, arbitrary file write, and command injection primitives that attackers routinely chain into full compromise paths.

Advisory

Atlassian Patches 38 Vulnerabilities in April 2026, Including Multiple Critical Flaws

published: yesterday

Take action: If you run self-hosted Atlassian products (Bamboo, Bitbucket, Confluence, Jira, or Jira Service Management), upgrade to the latest Long-Term Support (LTS) versions listed in the April 2026 security bulletin as soon as possible.

Learn More

Atlassian has released its April 2026 Security Bulletin, patching a total of 38 vulnerabilities across its Data Center and Server product lines. The flaws affect Bamboo, Bitbucket, Confluence, Jira, and Jira Service Management.

Vulnerabilities summary:

CVE-2026-21571 (CVSS score 9.4) - OS command injection flaw in Bamboo Data Center and Server. Given Bamboo's role in automating build and deployment workflows, successful exploitation could enable threat actors to inject malicious code into CI/CD pipelines, compromise software supply chains, access sensitive data, or disrupt system operations.
CVE-2024-47875 (CVSS score 10.0) – mXSS (mutation Cross-Site Scripting) in the dompurify dependency, affecting Jira Software and Jira Service Management Data Center and Server.
CVE-2022-1471 (CVSS score 9.8) – Remote Code Execution in the org.yaml:snakeyaml dependency, affecting Confluence, Jira Software, and Jira Service Management Data Center.
CVE-2021-31597 (CVSS score 9.4) – Man-in-the-Middle in the xmlhttprequest dependency in Jira Service Management Data Center.
CVE-2026-25547 (CVSS score 9.2) – Denial of Service in the brace-expansion dependency in Jira Software Data Center.

The bulletin additionally addresses a long list of high-severity vulnerabilities spanning denial-of-service weaknesses, HTTP request smuggling, path traversal, file inclusion, improper authorization, DOM-based cross-site scripting, and man-in-the-middle issues.

High-severity entries include CVE-2026-33871 (CVSS score 8.7) affecting the io.netty:netty-codec-http2 dependency in both Bamboo and Confluence, CVE-2026-23950 (CVSS score 8.8) for path traversal in the node-tar dependency in Confluence, CVE-2025-48734 (CVSS score 8.8) for improper authorization in the commons-beanutils dependency affecting Jira and Jira Service Management, and CVE-2022-25927 (CVSS score 7.5) impacting the ua-parser-js dependency in Bitbucket Data Center. Multiple file inclusion flaws in node-tar (CVE-2026-23745, CVE-2026-24842, CVE-2026-31802, and CVE-2026-26960) also affect Confluence.

The affected versions are.

For Bamboo, versions from 9.6.2 through 12.1.3 are affected;
for Bitbucket, versions 9.4.12 through 10.1.5;
for Confluence, versions 8.9.1 through 10.2.7;
for Jira and Jira Service Management, multiple releases up through 11.3.3.

Atlassian recommends administrators upgrade to the latest Long-Term Support versions:

Bamboo 12.1.6 (LTS) and 10.2.18 (LTS),
Bitbucket 10.2.2 (LTS) and 9.4.19 (LTS),
Confluence 10.2.10 (LTS) and 9.2.19 (LTS),
Jira/Jira Service Management 11.3.4 (LTS) and 10.3.19 (LTS)

Atlassian Cloud customers do not need to take action, as those environments are patched automatically by Atlassian.

Atlassian Patches 38 Vulnerabilities in April 2026, Including Multiple Critical Flaws

Read More
CISA Confirms Active Exploitation of Three Cisco Networking …
Snowflake attack research - data breaches are related …
Microsoft reports on-premise SharePoint vulnerability under active attack
SolarWinds Web Help Desk bug being actively attacked
NVIDIA Patches Multiple Flaws Including Critical RCE Vulnerability …