Security Bulletin - February 17 2026
February 2026 Security Bulletin
The vulnerabilities reported in this Security Bulletin include 13 high-severity vulnerabilities and 2 critical-severity vulnerabilities which have been fixed in new versions of our products, released in the last month.
CVEs reported in monthly Security Bulletins have been assessed as presenting a non-critical risk to Atlassian customers. Atlassian issues Critical Security Advisories for vulnerabilities that pose an immediate critical risk based on how our products actually use the affected components outside of our monthly Security Bulletin schedule as necessary.
Vulnerabilities are discovered through our Bug Bounty program, pen-testing processes, and third-party library scans.
INSTRUCTIONS
To fix all the vulnerabilities impacting your product(s), Atlassian recommends patching your instances to the latest version or one of the Fixed Versions for each product below. The listed Fixed Versions for each product are current as of February 17, 2026 (date of publication); visit the linked product Release Notes for the most up-to-date versions.
To search for CVEs or check your product versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.
Released Security Vulnerabilities | |||||
|---|---|---|---|---|---|
Product & Release Notes | Affected Versions | Fixed Version | Vulnerability Summary | CVE ID | CVSS Severity |
|
| 8.6 High | |||
|
| File Inclusion tar-fs Dependency in Confluence Data Center and Server | 8.7 High | ||
DoS (Denial of Service) in Confluence Data Center and Server | 7.5 High | ||||
DoS (Denial of Service) in Confluence Data Center and Server | 7.5 High | ||||
7.5 High | |||||
DoS (Denial of Service) in Confluence Data Center and Server | 7.5 High | ||||
DoS (Denial of Service) in Confluence Data Center and Server | 7.5 High | ||||
|
| 9.8 Critical This is a vulnerability in a non-Atlassian Crowd dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. | |||
9.1 Critical This is a vulnerability in a non-Atlassian Crowd dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. | |||||
RCE (Remote Code Execution) commons-beanutils Dependency in Crowd Data Center and Server | 8.8 High | ||||
DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Crowd Data Center and Server | 8.2 High | ||||
7.5 High | |||||
7.5 High | |||||
Insecure Deserialization kind-of Dependency in Crowd Data Center and Server | 7.5 High | ||||
DoS (Denial of Service) Third-Party Dependency in Crowd Data Center and Server | 7.5 High | ||||
Frequently Asked Questions:
Why is my Feature Version not listed in a Fixed Version? You may be using an unsupported version and need to patch to the latest version or Long-Term Support (LTS) version.
What are the most up-to-date Data Center product versions? You can always check the software download portal or visit the product-specific download pages.
I am using an LTS, why is it not listed in the Fixed Versions? Your LTS version may not have been updated yet or a backported fix may not have been feasible. Please see our Security Bug Fix Policy for more information. We recommend upgrading your products to the latest versions. For the latest fixed versions, visit the release notes linked in the vulnerability table.
Questions about the bulletin, have feedback? Let us know! Read more about our bulletins and feel free to contribute feedback on our latest Community Post
To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.