Security Bulletin - May 19 2026

セキュリティ アドバイザリーおよびセキュリティ情報

このページの内容

関連コンテンツ

  • 関連コンテンツがありません

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

May 2026 Security Bulletin

The vulnerabilities reported in this Security Bulletin include 39 high-severity vulnerabilities and 3 critical-severity third-party vulnerabilities, which have been fixed in new versions of our products released in the last month.

CVEs reported in monthly Security Bulletins have been assessed as presenting a non-critical risk to Atlassian customers. Atlassian issues Critical Security Advisories for vulnerabilities that pose an immediate critical risk based on how our products actually use the affected components outside of our monthly Security Bulletin schedule as necessary.

Vulnerabilities are discovered through our Bug Bounty program, pen-testing processes, and third-party library scans.

INSTRUCTIONS

To fix all the vulnerabilities impacting your product(s), Atlassian recommends patching your instances to the latest version or one of the Fixed Versions for each product below. The listed Fixed Versions for each product are current as of May 19, 2026 (date of publication); visit the linked product Release Notes for the most up-to-date versions.

To search for CVEs or check your product versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

リリースされたセキュリティ脆弱性
Product & Release Notes影響を受けるバージョン修正対象バージョンVulnerability SummaryCVE IDCVSS Severity
Bamboo Data Center and Server
  • 12.1.0 to 12.1.6 (LTS)
  • 12.0.0 から 12.0.2
  • 11.0.0 から 11.0.8
  • 10.2.0 to 10.2.18 (LTS)
  • 10.1.0 から 10.1.1
  • 10.0.0 から 10.0.3
  • 9.6.3 to 9.6.25 (LTS)
  • 12.1.7 (LTS) recommended Data Center Only
  • 10.2.19 (LTS) Data Center Only
  • 9.6.26 (LTS) Data Center Only
Covert timing channel at org.bouncycastle:bcprov-jdk18on dependency in Bamboo Data CenterCVE-2026-55988.9 High
RCE (Remote Code Execution) at mchange-commons-java dependency in Bamboo Data CenterCVE-2026-277278.9 High
Directory Traversal vulnerability at plexus-utils dependency in Bamboo Data CenterCVE-2025-670308.8 High
DoS (Denial of Service) at jackson-core dependency in Bamboo Data CenterCVE-2026-290628.7 High
Information Disclosure org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data CenterCVE-2026-344877.5 High
Injection org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data CenterCVE-2026-344837.5 High
Security Misconfiguration vulnerability at Tomcat dependency in Bamboo Data CenterCVE-2026-291297.5 High
DoS (Denial of Service) at org.apache.activemq dependency in Bamboo Data CenterCVE-2026-393047.5 High
Bitbucket Data Center および Server
  • 10.2.0 to 10.2.1 (LTS)
  • 10.1.1 から 10.1.5
  • 10.0.0 から 10.0.2
  • 9.6.0 から 9.6.5
  • 9.5.0 から 9.5.2
  • 9.4.0 to 9.4.18 (LTS)
  • 9.3.0 から 9.3.2
  • 9.2.0 から 9.2.1
  • 9.1.0 から 9.1.1
  • 9.0.1
  • 8.19.0 to 8.19.29 (LTS)
  • 10.2.2 to 10.2.3 (LTS) recommended Data Center Only
  • 9.4.19 to 9.4.20 (LTS) Data Center Only
DoS (Denial of Service) in Bitbucket Data CenterCVE-2026-337507.5 High
XSS (Cross Site Scripting) dompurify Dependency in Bitbucket Data CenterCVE-2024-458017.3 High
Confluence Data Center および Server
  • 10.2.0 to 10.2.10 (LTS)
  • 10.1.0 から 10.1.2
  • 10.0.2 から 10.0.3
  • 9.5.1 から 9.5.4
  • 9.4.0 から 9.4.1
  • 9.3.1 から 9.3.2
  • 9.2.0 to 9.2.19 (LTS)
  • 9.1.0 から 9.1.1
  • 9.0.1 から 9.0.3
  • 8.9.2 から 8.9.8
  • 10.2.11 (LTS) recommended Data Center Only
  • 9.2.20 (LTS) Data Center Only
BASM (Broken Authentication & Session Management) in Confluence Data CenterCVE-2026-29145

9.1 Critical

This is a vulnerability in a non-Atlassian Confluence dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.

DoS (Denial of Service) in Confluence Data CenterCVE-2026-290628.7 High
Information Disclosure in Confluence Data CenterCVE-2026-344877.5 High
Information Disclosure in Confluence Data CenterCVE-2026-291467.5 High
HTTP Request/Response Smuggling Apache Tomcat Dependency in Confluence Data CenterCVE-2026-248807.5 High
Improper Encoding org.apache.tomcat:tomcat-catalina Dependency in Confluence Data CenterCVE-2026-344837.5 High
DoS (Denial of Service) in Confluence Data CenterCVE-2026-337507.5 High
Injection in Confluence Data CenterCVE-2026-247347.5 High
Fisheye/Crucible
  • 4.9.0 から 4.9.9
  • 4.9.10 recommended
RCE (Remote Code Execution) at c3p0 dependency in Crucible ServerCVE-2026-278308.9 High
RCE (Remote Code Execution) at mchange-commons-java dependency in Crucible ServerCVE-2026-277278.9 High
Covert timing channel vulnerability at Bouncy Castle dependency at Crucible ServerCVE-2026-55988.9 High
RCE (Remote Code Execution) at com.fasterxml.jackson.core:jackson-core dependency in Crucible ServerCVE-2025-529998.7 High
DoS (Denial of Service) at postgresql dependency in Crucible ServerCVE-2026-421987.5 High
DoS (Denial of Service) at commons-fileupload dependency in Crucible ServerCVE-2023-249987.5 High
Jira Data Center および Server
  • 11.3.0 to 11.3.4 (LTS)
  • 11.2.0 から 11.2.1
  • 11.1.0 から 11.1.1
  • 11.0.0 から 11.0.1
  • 10.7.1 から 10.7.4
  • 10.6.0 から 10.6.1
  • 10.5.0 から 10.5.1
  • 10.4.0 から 10.4.1
  • 10.3.0 to 10.3.19 (LTS)
  • 10.2.0 から 10.2.1
  • 10.1.1 から 10.1.2
  • 10.0.0 から 10.0.1
  • 9.17.0 から 9.17.5
  • 9.16.0 から 9.16.1
  • 9.12.32 to 9.12.34 (LTS)
  • 11.3.5 to 11.3.6 (LTS) recommended Data Center Only
  • 10.3.20 to 10.3.21 (LTS) Data Center Only
  • 9.12.35 (LTS)
Security Headers Omission in Jira Software Data CenterCVE-2026-22732

9.1 Critical

This is a vulnerability in a non-Atlassian Jira Software dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.

DoS (Denial of Service) in Jira Software Data CenterCVE-2026-290628.7 High
File Inclusion in Jira Software Data CenterCVE-2026-318028.2 High
File Inclusion in Jira Software Data CenterCVE-2026-297868.2 High
DOM-based XSS in Jira Software Data CenterCVE-2026-220298 High
DoS (Denial of Service) in Jira Software Data CenterCVE-2026-256397.5 High
Improper Encoding org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data CenterCVE-2026-344837.5 High
DoS (Denial of Service) in Jira Software Data CenterCVE-2026-337507.5 High
Security Misconfiguration in Jira Software Data CenterCVE-2026-291297.5 High
Jira Service Management Data Center および Server
  • 11.3.0 to 11.3.4 (LTS)
  • 11.2.0 から 11.2.1
  • 11.1.0 から 11.1.1
  • 11.0.0 から 11.0.1
  • 10.7.1 から 10.7.4
  • 10.6.0 から 10.6.1
  • 10.5.0 から 10.5.1
  • 10.4.0 から 10.4.1
  • 10.3.0 to 10.3.19 (LTS)
  • 10.2.0 から 10.2.1
  • 10.1.1 から 10.1.2
  • 10.0.0 から 10.0.1
  • 5.17.0 から 5.17.5
  • 5.16.0 から 5.16.1
  • 11.3.5 to 11.3.6 (LTS) recommended Data Center Only
  • 10.3.20 to 10.3.21 (LTS) Data Center Only
Security Headers Omission in Jira Service Management Data CenterCVE-2026-22732

9.1 Critical

This is a vulnerability in a non-Atlassian Jira Service Management dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.

DoS (Denial of Service) in Jira Service Management Data CenterCVE-2026-290628.7 High
File Inclusion in Jira Service Management Data CenterCVE-2026-318028.2 High
File Inclusion in Jira Service Management Data CenterCVE-2026-297868.2 High
DOM-based XSS in Jira Service Management Data CenterCVE-2026-220298 High
DoS (Denial of Service) in Jira Service Management Data CenterCVE-2026-256397.5 High
DoS (Denial of Service) in Jira Service Management Data CenterCVE-2026-337507.5 High
Improper Encoding org.apache.tomcat:tomcat-catalina Dependency in Jira Service Management Data CenterCVE-2026-344837.5 High
File Inclusion in Jira Service Management Data CenterCVE-2026-269607.1 High


Frequently Asked Questions:

  • Why is my Feature Version not listed in a Fixed Version? You may be using an unsupported version and need to patch to the latest version or Long-Term Support (LTS) version.

  • What are the most up-to-date Data Center product versions? You can always check the software download portal or visit the product-specific download pages.

  • I am using an LTS, why is it not listed in the Fixed Versions? Your LTS version may not have been updated yet or a backported fix may not have been feasible. Please see our Security Bug Fix Policy for more information. We recommend upgrading your products to the latest versions. For the latest fixed versions, visit the release notes linked in the vulnerability table.

  • Questions about the bulletin, have feedback? Let us know! Read more about our bulletins and feel free to contribute feedback on our latest Community Post


To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

最終更新日 2026 年 5 月 20 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する

関連コンテンツ

  • 関連コンテンツがありません
Powered by Confluence and Scroll Viewport.