CVE-2026-5598
This High severity Covert timing channel vulnerability was introduced in version 4.9.0 of Crucible Server. Atlassian recommends that Crucible Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Crucible Data Center and Server 4.9: Upgrade to a release greater than or equal to 4.9.10 See the release notes (https://confluence.atlassian.com/crucible/crucible-releases-298977378.html). You can download the latest version of Crucible Data Center and Server from the download center (https://www.atlassian.com/software/crucible/download-archives). Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.84.
EPSS 0.02% · 6.5th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Atlassian | Crucible Data Center | |
| Atlassian | Bamboo Data Center | |
| Atlassian | Crucible Server |
Exploit Intelligence
- CIRCL seen: CVE-2026-5598 (circl-sighting)
- https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905998 (circl)
- dependency-check-suppress.xml (github-poc)
- pom.xml (github-poc)
- pom.xml (github-poc)
- pom.xml (github-poc)
- pom.xml (github-poc)
- pom.xml (github-poc)
- pom.xml (github-poc)
- pom.xml (github-poc)
…and 28 more exploits
Timeline
- Apr 15, 2026 CVE Published
- Apr 15, 2026 PoC Published
- Apr 16, 2026 EPSS Score
- Apr 30, 2026 Distribution Patch
- Apr 30, 2026 Security Advisory
- Apr 30, 2026 Distribution Patch
- Apr 30, 2026 Security Advisory
- Apr 30, 2026 Security Advisory
- May 18, 2026 EPSS Score
- May 18, 2026 Distribution Patch
- May 18, 2026 Security Advisory
- May 18, 2026 Distribution Patch