Skip to content

Atlassian Security Patches: Bamboo, Confluence & Co. Vulnerable

(Image: Tatiana Popova/Shutterstock.com). DoS and malware security vulnerabilities threaten Atlassian applications. Admins should install patches promptly. Attackers can exploit multiple software vulnerabilities in Atlassian Bamboo Data Center and Server, Confluence Data Center and Server, and Jira Data Center and Server, potentially compromising affected systems completely in the worst case. Security updates are available. So far, the software vendor has issued no warnings that attackers are already exploiting the vulnerabilities. However, this could change quickly, so admins should act soon. The patched versions protecting against the attacks described below are listed at the end of this article. Different threats. In the security section of its website [1], Atlassian has listed the now-closed security vulnerabilities and the specific versions at risk. The most dangerous is a “critical” vulnerability (CVE-2026-22732) in the Spring Security framework used by Jira Data Center and Server. At this point, attackers can target instances in the context of HTTP headers and, for example, access supposedly isolated data. How such an attack could unfold in concrete terms is not yet known. The remaining vulnerabilities are all classified as “high” severity. Here attackers can, for example, execute malicious code remotely within Fisheye/Crucible (such as CVE-2026-27830). If attackers successfully target Confluence Data Center and Server, crashes can occur (CVE-2026-29062) or data can leak (CVE-2026-29146). The developers assure that the errors have been fixed in the following versions: Bamboo Data Center and Server 12.1.7 (LTS) recommended Data Center Only, 10.2.19 (LTS) Data Center Only, 9.6.26 (LTS) Data Center Only. Bitbucket Data Center and Server 10.2.2 to 10.2.3 (LTS) recommended Data Center Only, 9.4.19 to 9.4.20 (LTS) Data Center Only. Confluence Data Center and Server 10.2.11 (LTS) recommended Data Center Only, 9.2.20 (LTS) Data Center Only. Fisheye/Crucible 4.9.10 recommended. Jira Data Center and Server 11.3.5 to 11.3.6 (LTS) recommended Data Center Only, 10.3.20 to 10.3.21 (LTS) Data Center Only, 9.12.35 (LTS). Jira Service Management Data Center and Server 11.3.5 to 11.3.6 (LTS) recommended Data Center Only, 10.3.20 to 10.3.21 (LTS) Data Center Only. (des [3]). URL of this article: https://www.heise.de/-11301596. Links in this article: https://confluence.atlassian.com/security/security-bulletin-may-19-2026-1786839142.html. https://pro.heise.de/security/?LPID=39555_HS1L0001_27416_999_0&wt_mc=disp.fd.security-pro.security_pro24.disp.disp.disp. mailto:des@heise.de. Copyright © 2026 Heise Medien

heise security News

Share on: