DevOps Pulse

Veeam patched three CVSS 9.9 RCE flaws in Backup &

Replication (CVE-2026-21666/21667/21669) that let any domain user execute code on backup servers, while research shows 89% of organizations now have backup repos directly targeted by ransomware. Rubrik added Azure DevOps and GitHub to its SaaS backup portfolio, directly entering Veeam's DevOps target market alongside GitProtect's v2.1.0 Jira granular backup and Commvault's Unified Data Vault. AI-generated code is now linked to one in five security breaches per Aikido Security's 2026 report, and Azure DevOps retired global PATs as of March 15 — both demanding immediate product and integration roadmap attention. PM team should prioritize verifying customer patch adoption for the March 12 RCE fixes, accelerating competitive response to Rubrik's DevOps backup expansion, and auditing all Azure DevOps integrations using global PATs before the December 2026 sunset.

Signals
28
Sections
5/5
Threats
6
Fresh
5
Updated
101d ago
Show

DevOps Platform Updates

scanned 101d ago6

Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.

Atlassian Patches High-Severity OS Command Injection in Confluence

On March 17, 2026, Atlassian published a security bulletin disclosing multiple vulnerabilities across self-hosted Jira and Confluence products. CVE-2025-64756 is a high-severity OS command injection flaw in Confluence Data Center and Server that allows authenticated attackers to execute arbitrary system commands. Self-managed installations must immediately upgrade to patched versions (11.3.3 LTS or 10.3.18 LTS); Atlassian-hosted cloud products are unaffected, so on-premises Veeam-integrated deployments carry elevated risk.

confluenceUC Berkeley Information Security Office·18 Mar

Azure DevOps Retires Global PATs; New Creation Blocked March 15

Azure DevOps Sprint 270 announces the retirement of Global Personal Access Tokens (PATs), which grant overly broad cross-organization access. As of March 15, 2026, creation and regeneration of global PATs is blocked; all existing tokens will stop working December 1, 2026. Any Veeam connector, backup automation, or CI/CD integration relying on global PATs must migrate to organization-scoped PATs or Microsoft Entra-based authentication to avoid disruption.

azure-devopsMicrosoft Learn — Azure DevOps Release Notes·15 Mar

CVE-2026-33419: MinIO LDAP Flaw Exposes S3 Buckets to Brute-Force

A vulnerability disclosed March 20, 2026 in MinIO AIStor affects all LDAP-configured deployments. Two chained weaknesses—username enumeration via distinguishable error responses and absent rate limiting on the STS AssumeRoleWithLDAPIdentity endpoint—allow unauthenticated attackers to obtain AWS-style credentials (AccessKeyId, SecretAccessKey, SessionToken) with full S3 access. No fix is currently available, raising immediate risk for DevOps pipelines using MinIO as object storage for build artifacts or backup data.

gitlabGitLab Advisory Database (GLAD)·20 MarRecent

GitHub Enterprise Server 3.20 GA Ships Built-In Backup Service

GHES 3.20, released March 17, 2026, promotes its managed built-in backup service from public preview to general availability, eliminating the need for a separate host running backup-utils (which is planned for retirement starting in GHES 3.22). The release also adds immutable releases—locking artifact files and tags from post-publication modification—directly strengthening supply chain integrity. These changes affect Veeam customers who back up GHES instances and rely on backup-utils tooling.

githubGitHub Changelog·17 Mar

Azure DevOps Sprint 270 Adds Audit Log for Push Protection Bypasses

Sprint 270 (March 2026) in Azure DevOps now records secret push protection bypass events in the organization audit log, capturing the repository, secret type, and identity of the bypassing developer. This gives security and compliance teams a complete paper trail for credential-leak incidents, enabling easier policy enforcement and developer coaching. For Veeam, this increases auditability of CI/CD pipelines that handle backup credentials.

azure-devopsMicrosoft Learn — Azure DevOps Release Notes·15 Mar

GitHub Actions Supports Environments Without Creating Deployments

GitHub Actions' Late March 2026 update introduces a deployment: false key for environment definitions, letting workflows consume environment-scoped secrets and variables without generating a GitHub Deployment record. Teams using Actions for backup or restore automation can now isolate environment credentials without polluting the Deployments view. The same release adds IANA timezone support to cron schedules, removing the UTC-only restriction.

githubGitHub Changelog·19 Mar