Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 2 maven packages depend on io.jenkins.plugins:pipeline-groovy-lib (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 798.v5cc688825312.
DescriptionCVE.org
Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.
AnalysisAI
Arbitrary file read on the Jenkins controller is possible in the Jenkins 'Pipeline: Groovy Libraries Plugin' (version 797.v90ea_a_9b_e45a_0 and earlier), where the plugin fails to prohibit symbolic links inside shared libraries. An attacker who can control the contents of a shared library consumed by a Pipeline job can plant symlinks that resolve to sensitive files (credentials, secrets, configuration) on the controller filesystem and exfiltrate them through the build. There is no public exploit identified at time of analysis, and SSVC marks exploitation status as none, so this is a patch-and-move-on issue rather than an active-exploitation emergency.
Technical ContextAI
The affected component is the Jenkins 'Pipeline: Groovy Libraries Plugin', which lets Pipeline jobs load reusable Groovy code from 'shared libraries' typically backed by an SCM repository (Git, etc.). When such a library is retrieved and checked out, its files are placed on the Jenkins controller. The root cause is CWE-59 (Improper Link Resolution Before File Access, i.e., link following / a symlink attack): the plugin does not strip or reject symbolic links contained in the library, so a symlink committed into the library will be followed and resolved against the controller's real filesystem rather than being confined to the library workspace. This is a classic path-confinement failure where untrusted, attacker-supplied repository content is materialized on a privileged host without sanitizing links.
RemediationAI
Upgrade the Jenkins 'Pipeline: Groovy Libraries Plugin' to the fixed release published in the Jenkins security advisory; the exact patched version number is not present in the provided input data, so consult https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3727 and the Jenkins update center for the specific fixed version rather than relying on an invented version string. Until you can update, reduce exposure by restricting who can author or modify shared libraries: limit global/folder-level shared library definitions to trusted administrators, and require that library SCM repositories are write-restricted so untrusted users cannot commit symlinks (trade-off: slows down self-service library development). Prefer pinning libraries to specific trusted revisions and disabling 'allow default version to be overridden' / dynamic loading where feasible (trade-off: less flexibility for job authors). Audit recent builds that loaded shared libraries for unexpected symlinks or file access, and rotate any controller secrets that an untrusted library author could have read if you suspect exposure.
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32512
GHSA-qjq3-wqj5-g37q