Atlassian (Jira and Confluence) vulnerabilities - March 2026

Recent Stories

May 8, 2026

May 08
Dirty Frag - Universal Local Privilege Escalation in Linux

May 6, 2026

May 06
Critical Apache 2.4.66 HTTP/2 Flaw Allows RCE & DoS (CVE-2026-23918)

March 18, 2026

Mar 18
Atlassian (Jira and Confluence) vulnerabilities - March 2026
News Archive
March 18, 2026

To the UCB-Security community, 

This is a notice from the Information Security Office to alert you to multiple vulnerabilities announced by Atlassian in their entire product suite of self-hosted products, including Jira and Confluence[1]. Atlassian-hosted products are not affected by these vulnerabilities.

Please share this alert internally with IT admins and service owners who run the product so they are aware and know what actions to take to address these vulnerabilities.

SUMMARY

ISO is aware of a vulnerability that affects Confluence Data Center and Server[2]. CVE-2025-64756 is a high-severity OS Command Injection vulnerability that allows an authenticated attacker to gain access and possibly execute arbitrary commands on the target system.

ISO is also aware of multiple high-severity vulnerabilities that affect Jira Data Center and Server. These vulnerabilities include path traversal, file overwrite, and denial of service. These vulnerabilities could allow an attacker to gain knowledge of file system layout, and potentially replace existing files or execute arbitrary files.

IMPACT

These vulnerabilities could allow command execution and data disclosure to unauthorized users, as well as system downtime.

WHAT IS VULNERABLE

Vulnerable versions of Confluence Data Center and Server are the following:

  • 10.2.0 to 10.2.6 (LTS)

  • 10.1.0 to 10.1.2

  • 9.5.1 to 9.5.4

  • 9.2.5 to 9.2.14 (LTS)

  • 9.0.1

Vulnerable versions of Jira Data Center and Server are the following:

  • 11.3.0 to 11.3.2 (LTS)

  • 11.2.0 to 11.2.1

  • 11.1.0 to 11.1.1

  • 11.0.0 to 11.0.1

  • 10.7.1 to 10.7.4

  • 10.6.0 to 10.6.1

  • 10.5.0 to 10.5.1

  • 10.4.0 to 10.4.1

  • 10.3.0 to 10.3.17 (LTS)

  • 10.2.0 to 10.2.1

  • 10.1.1 to 10.1.2

  • 10.0.0 to 10.0.1

  • 9.17.0 to 9.17.5

  • 9.16.0 to 9.16.1

  • 9.15.2

RECOMMENDATIONS

  1. Upgrade to a patched version of Confluence Data Center and Server:

    1. 10.2.7 (LTS) recommended Data Center Only

    2. 9.2.15 to 9.2.17 (LTS) Data Center Only

    3. 9.0.2 to 9.0.3 Data Center Only

  2. Upgrade to a patched version of Jira Data Center and Server

    1. 11.3.3 (LTS) recommended Data Center Only

    2. 10.3.18 (LTS) Data Center Only

MITIGATION

If you are unable to patch immediately, then as a temporary workaround, you can mitigate the issue by ensuring that firewall rules exist to prevent unauthorized users from accessing the platform. 

REFERENCES

  1. https://confluence.atlassian.com/security/security-bulletin-march-17-2026-1721271371.html

  2. https://jira.atlassian.com/browse/CONFSERVER-102542

If you have any questions about the vulnerability or would like some assistance patching or mitigating it, please contact security@berkeley.edu.