Atlassian's March Security Bulletin Fixes 21 High-Severity Flaws, Including RCEs in Bamboo

Executive Summary

Atlassian has released its scheduled March 2026 Security Bulletin, detailing patches for a large number of vulnerabilities across its product line. The update includes fixes for 21 distinct high-severity flaws affecting products like Bamboo Data Center and Server, and Bitbucket Data Center and Server. The most notable vulnerability is CVE-2026-21570, a critical Remote Code Execution (RCE) flaw in Bamboo with a CVSS score of 8.6. Atlassian strongly advises all customers to review the bulletin and upgrade their on-premise instances to a patched version as soon as possible to prevent potential exploitation.

Vulnerability Details

The bulletin covers vulnerabilities discovered through Atlassian's bug bounty program, internal testing, and third-party library scans. While the full list is extensive, the most critical issues highlighted are in Bamboo.

Bamboo Data Center and Server

• CVE-2026-21570 (CVSS 8.6, High): A Remote Code Execution (RCE) vulnerability that could allow an attacker to execute arbitrary code on a vulnerable Bamboo server. This poses a significant risk to CI/CD pipelines, as a compromise could lead to code tampering, credential theft, and unauthorized access to development environments.
• CVE-2025-68493 (CVSS 8.1, High): A missing XML validation vulnerability in a dependency, Apache Struts. This could potentially be exploited for various attacks, including denial of service or information disclosure.
• CVE-2025-64775 (CVSS 7.1, High): A Denial of Service (DoS) vulnerability, also related to the Apache Struts dependency.

Bitbucket Data Center and Server

The bulletin also includes patches for several unspecified high-severity vulnerabilities in Bitbucket.

Atlassian clarified that these vulnerabilities, while serious, did not meet the threshold for an out-of-band critical security advisory, which is reserved for issues with evidence of active exploitation or extremely high impact.

Affected Systems

• Bamboo Data Center and Server: Versions 9.6.1 through 12.1.2 are mentioned as being affected by one or more flaws. Customers should consult the specific advisories for precise version mapping.
• Bitbucket Data Center and Server: Versions 9.4.16 through 10.1.4 are mentioned. Again, specific version information is in the bulletin.

Customers should refer to the official Atlassian Security Bulletin for a complete list of affected products and fixed versions.

Impact Assessment

Exploitation of these vulnerabilities could have severe consequences, particularly the RCE in Bamboo.

• Compromise of CI/CD Pipeline: An attacker with control over a Bamboo server could inject malicious code into software builds, leading to a supply chain attack.
• Credential Theft: Bamboo servers often store credentials for accessing code repositories, artifact registries, and cloud environments. A compromise would expose these secrets.
• Data Exfiltration: Attackers could steal proprietary source code and other sensitive intellectual property.
• Denial of Service: The DoS flaws could disrupt development and deployment operations, halting productivity.

Remediation Steps

1. Prioritize and Patch (D3-SU: Software Update): Review the March 2026 Security Bulletin to identify which vulnerabilities affect your specific Atlassian product instances. Prioritize patching based on the severity of the vulnerabilities and the exposure of the systems (e.g., internet-facing instances first).
2. Upgrade to a Fixed Version: The primary remediation is to upgrade each affected product to one of the fixed versions listed in the Atlassian advisories. It is crucial to follow Atlassian's recommended upgrade paths.
3. Review Security Best Practices: For Bamboo, ensure that access to the server is tightly controlled and that build agents have the minimum necessary permissions. Regularly rotate credentials stored within the system.
4. Compensating Controls: If immediate patching is not possible, organizations should implement compensating controls, such as restricting network access to the vulnerable instances to only trusted users and IP addresses, and increasing monitoring of the systems for any signs of compromise.