EUVD-2026-36019
GHSA-g2xq-2v27-4rh3
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (jenkins).
CVSS VectorVendor: jenkins
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled config.xml submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.
AnalysisAI
Authenticated remote code execution in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) allows attackers with permission to submit config.xml to trigger deserialization of arbitrary core or plugin types that subsequently handle HTTP requests, enabling user impersonation, Script Console abuse, and arbitrary file reads from the controller. The flaw is tracked as a CWE-502 unsafe deserialization issue with a CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network reachability to the Jenkins web UI and (2) an authenticated session holding a permission that allows submitting a config.xml - typically Item/Configure, Job/Configure, or User/Configure - on an instance running Jenkins ≤2.567 or LTS ≤2.555.2 with the vulnerable deserialization path in core or a loaded plugin. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 8.8 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects a low-privilege but network-reachable path with full CIA impact on the Jenkins controller, which is consistent with the description requiring the attacker to POST a config.xml - i.e. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged Jenkins user with rights to submit a config.xml (for example, configuring a job or their own user object) POSTs a crafted XML payload that causes the controller to deserialize a gadget type whose instance registers itself in Stapler's request-handling chain. The attacker then issues follow-up HTTP requests that are processed in the context of an administrator, navigating to the Script Console to execute Groovy and achieve code execution on the controller, or reading arbitrary files such as secrets.key and credential stores. |
| Remediation | Vendor-released patch: upgrade to Jenkins weekly 2.568 or Jenkins LTS 2.555.3 as published in the 2026-06-10 advisory at https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3707. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Jenkins instances running version 2.567 or earlier (LTS 2.555.2 or earlier) and restrict configuration file (config.xml) submission permissions to trusted administrators only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today