Security Bulletin - January 20 2026

Security Advisories & Bulletins

On this page

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

January 2026 Security Bulletin

The vulnerabilities reported in this Security Bulletin include 30 high-severity vulnerabilities and 2 critical-severity vulnerabilities which have been fixed in new versions of our products, released in the last month. 

CVEs reported in monthly Security Bulletins have been assessed as presenting a non-critical risk to Atlassian customers. Atlassian issues Critical Security Advisories for vulnerabilities that pose an immediate critical risk based on how our products actually use the affected components outside of our monthly Security Bulletin schedule as necessary.

Vulnerabilities are discovered through our Bug Bounty program, pen-testing processes, and third-party library scans.

INSTRUCTIONS

To fix all the vulnerabilities impacting your product(s), Atlassian recommends patching your instances to the latest version or one of the Fixed Versions for each product below. The listed Fixed Versions for each product are current as of January 20, 2026 (date of publication); visit the linked product Release Notes for the most up-to-date versions.

To search for CVEs or check your product versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

Released Security Vulnerabilities

Product & Release Notes

Affected Versions

Fixed Version

Vulnerability Summary

CVE ID

CVSS Severity

Bamboo Data Center and Server

  • 12.0.0 to 12.0.1

  • 11.0.0 to 11.0.8

  • 10.2.0 to 10.2.12 (LTS)

  • 10.1.0 to 10.1.1

  • 10.0.0 to 10.0.3

  • 9.6.0 to 9.6.20 (LTS)

  • 12.0.2 Data Center Only

  • 10.2.13 to 10.2.15 (LTS) recommended Data Center Only

  • 9.6.21 to 9.6.22 (LTS) Data Center Only

Race Condition at org.glassfish.jersey.core:jersey-client in Bamboo Data Center

CVE-2025-12383

9.4 Critical

This is a vulnerability in a non-Atlassian Bamboo dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.


XXE (XML External Entity Injection) org.apache.tika:tika-core Dependency in Bamboo Data Center and Server

CVE-2025-54988

8.4 High

DoS (Denial of Service) io.netty:netty-codec-http2 Dependency in Bamboo Data Center and Server

CVE-2025-55163

8.2 High

SSRF (Server-Side Request Forgery) axios Dependency in Bamboo Data Center and Server

CVE-2025-27152

7.7 High

Bitbucket Data Center and Server

  • 10.0.0 to 10.0.2

  • 9.6.0 to 9.6.5

  • 9.5.0 to 9.5.2

  • 9.4.0 to 9.4.14 (LTS)

  • 9.3.0 to 9.3.2

  • 9.2.0 to 9.2.1

  • 9.1.0 to 9.1.1

  • 9.0.1

  • 8.19.0 to 8.19.25 (LTS)

  • 8.18.0 to 8.18.1

  • 10.1.1 to 10.1.4 Data Center Only

  • 9.4.15 to 9.4.16 (LTS) recommended Data Center Only

  • 8.19.26 to 8.19.27 (LTS) Data Center Only

DoS (Denial of Service) com.fasterxml.jackson.core:jackson-core Dependency in Bitbucket Data Center and Server

CVE-2025-52999

8.7 High

DoS (Denial of Service) org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server

CVE-2024-38286

8.6 High

DoS (Denial of Service) org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server

CVE-2025-48989

7.5 High

RCE (Remote Code Execution) org.apache.tomcat.embed:tomcat-embed-core Dependency in Bitbucket Data Center and Server

CVE-2025-55752

7.5 High

Improper Authorization org.springframework:spring-core Dependency in Bitbucket Data Center and Server

CVE-2025-41249

7.5 High

Confluence Data Center and Server

  • 10.2.0 to 10.2.1 (LTS)

  • 10.1.0 to 10.1.2

  • 10.0.2 to 10.0.3

  • 9.5.1 to 9.5.4

  • 9.4.0 to 9.4.1

  • 9.3.1 to 9.3.2

  • 9.2.0 to 9.2.12 (LTS)

  • 9.1.0 to 9.1.1

  • 9.0.1 to 9.0.3

  • 8.9.0 to 8.9.8

  • 8.8.0 to 8.8.1

  • 8.5.6 to 8.5.31 (LTS)

  • 7.19.19 to 7.19.30 (LTS)

  • 10.2.2 (LTS) recommended Data Center Only

  • 9.2.13 (LTS) Data Center Only

XXE (XML External Entity Injection) in Confluence Data Center and Server

Note: On December 17, 2025, we released an additional fix in versions 8.5.31, 9.2.13 and 10.2.2, and added to the December Bulletin post-publication. It has been included in this Bulletin for awareness.

CVE-2025-66516

10 Critical

This is a vulnerability in a non-Atlassian Confluence dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk.

XXE (XML External Entity Injection) org.apache.jackrabbit:jackrabbit-spi-commons Dependency in Confluence Data Center and Server

CVE-2025-53689

8.8 High

XXE (XML External Entity Injection) org.apache.tika:tika-core Dependency in Confluence Data Center and Server

CVE-2025-54988

8.4 High

MITM (Man-in-the-Middle) org.postgresql:postgresql Dependency in Confluence Data Center and Server

CVE-2025-49146

8.2 High

Crowd Data Center and Server

  • 7.1.0 to 7.1.2

  • 6.3.0 to 6.3.3

  • 7.1.3 recommended Data Center Only

  • 6.3.4 Data Center Only

XXE (XML External Entity Injection) org.apache.tika:tika-core Dependency in Crowd Data Center and Server

CVE-2025-54988

8.4 High

XXE (XML External Entity Injection) in Crowd Data Center and Server

CVE-2026-21569

7.9 High

DoS (Denial of Service) org.apache.commons:commons-fileupload2-core Dependency in Crowd Data Center and Server

CVE-2025-48976

7.5 High

DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Crowd Data Center and Server

CVE-2025-64775

7.5 High

Jira Data Center and Server

  • 11.2.0

  • 11.1.0 to 11.1.1

  • 11.0.0 to 11.0.1

  • 10.7.1 to 10.7.4

  • 10.6.0 to 10.6.1

  • 10.5.0 to 10.5.1

  • 10.4.0 to 10.4.1

  • 10.3.0 to 10.3.15 (LTS)

  • 10.2.0 to 10.2.1

  • 10.1.1 to 10.1.2

  • 10.0.0 to 10.0.1

  • 9.17.0 to 9.17.5

  • 9.16.0 to 9.16.1

  • 9.15.2

  • 9.14.0 to 9.14.1

  • 9.13.0 to 9.13.1

  • 9.12.3 to 9.12.25 (LTS)

  • 11.3.0 to 11.3.1 (LTS) recommended Data Center Only

  • 11.2.1 Data Center Only

  • 10.3.16 (LTS) Data Center Only

  • 9.12.26 to 9.12.31 (LTS)

DoS (Denial of Service) qs Dependency in Jira Software Data Center and Server

CVE-2025-15284

8.7 High

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Jira Software Data Center and Server

CVE-2025-52434

8.6 High

DoS (Denial of Service) cross-spawn Dependency in Jira Software Data Center and Server

CVE-2024-21538

7.7 High

DoS (Denial of Service) ansi-regex Dependency in Jira Software Data Center and Server

CVE-2021-3807

7.5 High

Injection sha.js Dependency in Jira Data Center and Server

CVE-2025-9288

7.4 High

Injection cipher-base Dependency in Jira Data Center and Server

CVE-2025-9287

7.4 High

XSS (Cross Site Scripting) dompurify Dependency in Jira Software Data Center and Server

CVE-2024-45801

7.3 High

Jira Service Management Data Center and Server

  • 11.3.0 (LTS)

  • 11.2.0

  • 11.1.0 to 11.1.1

  • 11.0.0 to 11.0.1

  • 10.7.1 to 10.7.4

  • 10.6.0 to 10.6.1

  • 10.5.0 to 10.5.1

  • 10.4.0 to 10.4.1

  • 10.3.0 to 10.3.15 (LTS)

  • 10.2.0 to 10.2.1

  • 10.1.1 to 10.1.2

  • 10.0.0 to 10.0.1

  • 5.17.0 to 5.17.5

  • 5.16.0 to 5.16.1

  • 5.15.2

  • 5.14.0 to 5.14.1

  • 5.13.0 to 5.13.1

  • 5.12.3 to 5.12.28 (LTS)

  • 11.3.1 (LTS) recommended Data Center Only

  • 11.2.1 Data Center Only

  • 10.3.16 (LTS) Data Center Only

  • 5.12.29 to 5.12.31 (LTS)

DoS (Denial of Service) qs Dependency in Jira Service Management Data Center and Server

CVE-2025-15284

8.7 High

DoS (Denial of Service) cross-spawn Dependency in Jira Service Management Data Center and Server

CVE-2024-21538

7.7 High

DoS (Denial of Service) ansi-regex Dependency in Jira Service Management Data Center and Server

CVE-2021-3807

7.5 High

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote Dependency in Jira Service Management Data Center and Server

CVE-2025-52434

7.5 High

DoS (Denial of Service) semver Dependency in Jira Service Management Data Center

CVE-2022-25883

7.5 High

DoS (Denial of Service) path-to-regexp Dependency in Jira Service Management Data Center and Server

CVE-2024-45296

7.5 High

DoS (Denial of Service) org.codehaus.jettison:jettison Dependency Vulnerability in Jira Service Management Data Center and Server

CVE-2022-45693

7.5 High

XSS (Cross Site Scripting) dompurify Dependency in Jira Service Management Data Center and Server

CVE-2024-45801

7.3 High

Injection sha.js Dependency in Jira Service Management Data Center and Server

CVE-2025-9288

7.4 High

Injection cipher-base Dependency in Jira Service Management Data Center and Server

CVE-2025-9287

7.4 High


Frequently Asked Questions:

  • Why is my Feature Version not listed in a Fixed Version? You may be using an unsupported version and need to patch to the latest version or Long-Term Support (LTS) version.

  • What are the most up-to-date Data Center product versions? You can always check the software download portal or visit the product-specific download pages.

  • I am using an LTS, why is it not listed in the Fixed Versions? Your LTS version may not have been updated yet or a backported fix may not have been feasible. Please see our Security Bug Fix Policy for more information. We recommend upgrading your products to the latest versions. For the latest fixed versions, visit the release notes linked in the vulnerability table.

  • Questions about the bulletin, have feedback? Let us know! Read more about our bulletins and feel free to contribute feedback on our latest Community Post


To search for CVEs or check your products versions for disclosed vulnerabilities, check the Vulnerability Disclosure Portal.

Last modified on Jan 28, 2026

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.