Skip to main content

Groovy Libraries Plugin CVE-2026-48921

| EUVDEUVD-2026-32512 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-05-27 jenkinsci-cert@googlegroups.com GHSA-qjq3-wqj5-g37q
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 21:13 vuln.today
CVSS changed
May 27, 2026 - 20:22 NVD
7.5 (None) 7.5 (HIGH)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 maven packages depend on io.jenkins.plugins:pipeline-groovy-lib (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 798.v5cc688825312.

DescriptionCVE.org

Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.

AnalysisAI

Arbitrary file read on the Jenkins controller is possible in the Jenkins 'Pipeline: Groovy Libraries Plugin' (version 797.v90ea_a_9b_e45a_0 and earlier), where the plugin fails to prohibit symbolic links inside shared libraries. An attacker who can control the contents of a shared library consumed by a Pipeline job can plant symlinks that resolve to sensitive files (credentials, secrets, configuration) on the controller filesystem and exfiltrate them through the build. There is no public exploit identified at time of analysis, and SSVC marks exploitation status as none, so this is a patch-and-move-on issue rather than an active-exploitation emergency.

Technical ContextAI

The affected component is the Jenkins 'Pipeline: Groovy Libraries Plugin', which lets Pipeline jobs load reusable Groovy code from 'shared libraries' typically backed by an SCM repository (Git, etc.). When such a library is retrieved and checked out, its files are placed on the Jenkins controller. The root cause is CWE-59 (Improper Link Resolution Before File Access, i.e., link following / a symlink attack): the plugin does not strip or reject symbolic links contained in the library, so a symlink committed into the library will be followed and resolved against the controller's real filesystem rather than being confined to the library workspace. This is a classic path-confinement failure where untrusted, attacker-supplied repository content is materialized on a privileged host without sanitizing links.

RemediationAI

Upgrade the Jenkins 'Pipeline: Groovy Libraries Plugin' to the fixed release published in the Jenkins security advisory; the exact patched version number is not present in the provided input data, so consult https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3727 and the Jenkins update center for the specific fixed version rather than relying on an invented version string. Until you can update, reduce exposure by restricting who can author or modify shared libraries: limit global/folder-level shared library definitions to trusted administrators, and require that library SCM repositories are write-restricted so untrusted users cannot commit symlinks (trade-off: slows down self-service library development). Prefer pinning libraries to specific trusted revisions and disabling 'allow default version to be overridden' / dynamic loading where feasible (trade-off: less flexibility for job authors). Audit recent builds that loaded shared libraries for unexpected symlinks or file access, and rotate any controller secrets that an untrusted library author could have read if you suspect exposure.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2016-0792 HIGH POC
8.8 Apr 07

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex

CVE-2015-5317 HIGH
7.5 Nov 25

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j

CVE-2016-0788 CRITICAL
9.8 Apr 07

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003005 HIGH POC
8.8 Feb 06

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2019-1003030 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/

Vendor StatusVendor

Share

CVE-2026-48921 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy