Patches critical dependency vulns across Confluence and Jira

2 min readPublished 21 Apr 2026Updated 21 Apr 2026Source: Atlassian Security Bulletin

CVE-2024-47875 CVE-2022-1471 CVE-2026-23950 CVE-2026-25547 CVE-2026-33871 CVE-2026-29063 News Developer Tooling Supply Chain

TL;DR — Atlassian’s April 21, 2026 bulletin ties multiple Critical/High third-party dependency CVEs to specific Confluence/Jira fixed releases; if you run these products, validate versions and patch accordingly.

What happened

Atlassian publishes periodic security bulletins mapping disclosed vulnerabilities (often in bundled third-party dependencies) to affected Atlassian product versions and fixed versions.

On April 21, 2026, Atlassian published a new security bulletin covering Bamboo, Bitbucket, Confluence, Jira Software, and Jira Service Management. Notable items called out in the bulletin include Critical issues attributed to bundled dependencies such as dompurify (mXSS, CVSS 10, CVE-2024-47875) and org.yaml:snakeyaml (RCE, CVSS 9.8, CVE-2022-1471), plus a High node-tar issue described as Path Traversal (Arbitrary Write) in Confluence (CVE-2026-23950, CVSS 8.8).

The bulletin explicitly notes, for some dependency CVEs, that Atlassian’s usage context reduces the assessed risk (e.g., several entries say Atlassian’s application “presents a lower, non-critical assessed risk”). Even when vendor-assessed risk is reduced, these bulletins are operationally important because they define which product trains need urgent patch planning and which CVEs will show up in scanners and compliance attestations.

Who is impacted

Organizations running self-managed Atlassian products covered by the bulletin (Data Center and Server lines), especially internet-reachable instances.
Highest-risk environments are those where Confluence/Jira are treated as “internal-only” but are reachable via VPN/SSO, have broad user populations, or are integrated into CI/CD and identity workflows.

Product (self-managed)	Affected versions (per bulletin)	Fixed versions (per bulletin; current as of 2026-04-21)	Notable Critical/High items called out
Confluence Data Center and Server	`10.2.0` to `10.2.7` (LTS)<br>`10.1.0` to `10.1.2`<br>`10.0.2` to `10.0.3`<br>`9.5.1` to `9.5.4`<br>`9.4.0` to `9.4.1`<br>`9.3.1` to `9.3.2`<br>`9.2.0` to `9.2.17` (LTS)<br>`9.1.0` to `9.1.1`<br>`9.0.1` to `9.0.3`<br>`8.9.1` to `8.9.8`	`10.2.10` (LTS) (recommended Data Center only)<br>`9.2.19` (LTS) (Data Center only)	`CVE-2022-1471` (SnakeYAML RCE; dependency)<br>`CVE-2026-23950` (node-tar path traversal/arbitrary write; dependency)
Jira Software Data Center and Server	`11.3.0` to `11.3.3` (LTS)<br>`10.7.1` to `10.7.4`<br>`10.6.0` to `10.6.1`<br>`10.5.0` to `10.5.1`<br>`10.4.0` to `10.4.1`<br>`10.3.0` to `10.3.18` (LTS)<br>`10.2.0` to `10.2.1`<br>`10.1.1` to `10.1.2`<br>`10.0.0` to `10.0.1`<br>`9.17.0` to `9.17.5`<br>`9.16.0` to `9.16.1`<br>`9.15.2`<br>`9.12.8` to `9.12.33` (LTS)	`11.3.4` (LTS) (recommended Data Center only)<br>`10.3.19` (LTS) (Data Center only)	`CVE-2024-47875` (dompurify mXSS; dependency)<br>`CVE-2022-1471` (SnakeYAML RCE; dependency)<br>`CVE-2026-25547` (brace-expansion DoS; dependency)
Jira Service Management Data Center and Server	`11.3.0` to `11.3.3` (LTS)<br>`11.2.0` to `11.2.1`<br>`11.1.0` to `11.1.1`<br>`11.0.1`<br>`10.7.1` to `10.7.4`<br>`10.6.0` to `10.6.1`<br>`10.5.0` to `10.5.1`<br>`10.4.0` to `10.4.1`<br>`10.3.0` to `10.3.18` (LTS)<br>`10.2.0` to `10.2.1`<br>`10.1.1` to `10.1.2`<br>`10.0.0` to `10.0.1`<br>`5.17.0` to `5.17.5`<br>`5.16.0` to `5.16.1`<br>`5.15.2`	`11.3.4` (LTS) (recommended Data Center only)<br>`10.3.19` (LTS) (Data Center only)	`CVE-2024-47875` (dompurify mXSS; dependency)<br>`CVE-2022-1471` (SnakeYAML RCE; dependency)

What to do now

Follow Atlassian remediation guidance:

Atlassian recommends patching your instances to the latest version or one of the Fixed Versions for each product below. The listed Fixed Versions for each product are current as of April 21, 2026 (date of publication).
Inventory all self-managed Atlassian deployments (prod + staging + DR), capture exact running versions, and map them against the bulletin’s affected/fixed ranges.
Prioritize patching any internet-exposed Confluence/Jira instances and any instances trusted by SSO/IdP flows or build/release pipelines.
Treat “dependency CVE” entries as actionable even when vendor-assessed risk is reduced: validate whether the vulnerable code paths are reachable in your configuration and document compensating controls where patch windows are constrained.
After patching, verify: application startup health, auth/SSO flows, and plugin compatibility (especially for Confluence/Jira Data Center environments with extensive app ecosystems).

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.