Skip to main content

Jenkins CVE-2026-33001

| EUVDEUVD-2026-12843 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-03-18 jenkins GHSA-r6qv-frpc-q66c
8.8
CVSS 3.1 · Vendor: jenkins
Share

Severity by source

Vendor (jenkins) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (jenkins).

CVSS VectorVendor: jenkins

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 15:45 euvd
EUVD-2026-12843
Analysis Generated
Mar 18, 2026 - 15:45 vuln.today
CVE Published
Mar 18, 2026 - 15:15 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 13 maven packages depend on org.jenkins-ci.main:jenkins-core (13 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.555.

DescriptionCVE.org

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

AnalysisAI

Jenkins versions 2.554 and earlier (LTS 2.541.2 and earlier) contain a path traversal vulnerability in their handling of tar and tar.gz archive extraction that fails to safely process symbolic links, allowing attackers to write files to arbitrary filesystem locations. Attackers with Item/Configure permission or control over Jenkins agent processes can exploit this to deploy malicious scripts and plugins on the Jenkins controller, achieving code execution with the privileges of the Jenkins process. The vulnerability is particularly concerning because it affects the core Jenkins application and enables privilege escalation through plugin installation mechanisms.

Technical ContextAI

The vulnerability exists in Jenkins' archive extraction functionality (CPE: cpe:2.3:a:jenkins_project:jenkins:*:*:*:*:*:*:*:*) and stems from improper validation of symbolic links during tar archive processing. This is a classic path traversal/directory traversal issue (related to CWE-22: Improper Limitation of a Pathname to a Restricted Directory) where the application fails to canonicalize or validate symlink targets before extracting archive contents. When Jenkins processes a crafted tar or tar.gz file containing malicious symbolic links, it follows those links without verification, allowing an attacker to write files outside the intended extraction directory. The vulnerability is particularly dangerous because Jenkins uses archive extraction for plugin installation and agent file transfers, two critical operational pathways that would naturally be trusted by system administrators.

RemediationAI

Immediately upgrade to patched versions: Jenkins 2.555 or later, or Jenkins LTS 2.542.1 or later, as released by the Jenkins project following the advisory at https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657. Do not delay this patching—the vulnerability is in core functionality used during normal plugin installation and agent operations. For organizations unable to patch immediately, implement compensating controls: restrict Item/Configure permission to only trusted users via Jenkins' Authorization Strategy settings, audit all users with agent-related permissions, monitor agent connections for suspicious activity, and temporarily disable remote agent connections if feasible. Additionally, audit recent archive extractions in Jenkins job logs and agent-controller communications to identify potential exploitation. After patching, review installed plugins for any suspicious entries that may have been added during the vulnerability window.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2016-0792 HIGH POC
8.8 Apr 07

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex

CVE-2015-5317 HIGH
7.5 Nov 25

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j

CVE-2016-0788 CRITICAL
9.8 Apr 07

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003005 HIGH POC
8.8 Feb 06

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2019-1003030 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/

Vendor StatusVendor

Share

CVE-2026-33001 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy