wid-sec-w-2026-0779 · Published 2026-03-18 · View on BSI CERT-Bund ↗

Jenkins: Multiple Vulnerabilities

CVSS 8.8 HIGH

Risk Summary

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes. Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.

CVEs (4)

CVE-2026-33001 CVE-2026-33002 CVE-2026-33003 CVE-2026-33004

Affected Vendors

Jenkins

Affected Products (6)

Jenkins · Jenkins weekly <2.555

Jenkins · Jenkins weekly 2.555

Jenkins · Jenkins LTS <2.541.3

Jenkins · Jenkins LTS 2.541.3

Jenkins · Jenkins LoadNinja Plugin <2.2

Jenkins · Jenkins LoadNinja Plugin 2.2

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more