CVE-2022-26133
Description
SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Atlassian Bitbucket Data Center uses a vulnerable Hazelcast library that allows unauthenticated remote code execution via Java deserialization.
Vulnerability
Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 through 7.16.x, 7.17.x before 7.17.6, 7.18.x before 7.18.4, 7.19.x before 7.19.4, and 7.20.0 are affected [1][2]. The vulnerability resides in the SharedSecretClusterAuthenticator component, which is part of the Hazelcast library used by Bitbucket Data Center for clustering [1][2]. A remote, unauthenticated attacker can exploit a Java deserialization flaw by sending a specially crafted request to the Hazelcast service, achieving arbitrary code execution [1][2]. Both single and multi-node installations of Bitbucket Data Center are vulnerable; enabling or disabling clustering does not change the exposure [2]. Bitbucket Server and Bitbucket Cloud are not affected [1][2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted serialized Java object to the Hazelcast port (default TCP 5701) of an affected Bitbucket Data Center instance [2]. No authentication is required, and the attacker does not need any prior access or special network position beyond network connectivity to the targeted Hazelcast port [1][2]. The exploitation does not require user interaction or any race condition.
Impact
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary code with the privileges of the Bitbucket Data Center process (typically a dedicated system user) [1][2]. This can lead to complete compromise of the Bitbucket Data Center host, including access to repositories, credentials, and sensitive data, as well as potential lateral movement within the environment.
Mitigation
Atlassian has released fixed versions: 7.6.14, 7.17.6, 7.18.4, 7.19.4, 7.20.1, and 7.21.0 [2]. All users should upgrade to one of these versions as soon as possible. As a workaround, restrict network access to the Hazelcast port (default TCP 5701) using a firewall or network access controls, allowing connections only from trusted cluster nodes [2]. This vulnerability is not listed as a Known Exploited Vulnerability (KEV) at the time of writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2>=5.14.0, <7.6.14; >=7.7.0, <7.17.6; >=7.18.0, <7.18.4; >=7.19.0, <7.19.4; =7.20.0+ 1 more
- (no CPE)range: >=5.14.0, <7.6.14; >=7.7.0, <7.17.6; >=7.18.0, <7.18.4; >=7.19.0, <7.19.4; =7.20.0
- (no CPE)range: 5.14.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.