Skip to main content

Jenkins EUVDEUVD-2026-12845

| CVE-2026-33002 HIGH
Reliance on Reverse DNS Resolution for a Security-Critical Action (CWE-350)
2026-03-18 jenkins GHSA-phhv-63fh-rrc8
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 15:45 euvd
EUVD-2026-12845
Analysis Generated
Mar 18, 2026 - 15:45 vuln.today
CVE Published
Mar 18, 2026 - 15:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 maven packages depend on org.jenkins-ci.main:jenkins-core (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.442.

DescriptionCVE.org

Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.

AnalysisAI

Jenkins versions 2.442 through 2.554 and LTS 2.426.3 through 2.541.2 contain an origin validation bypass vulnerability in the CLI WebSocket endpoint that allows attackers to conduct DNS rebinding attacks. The vulnerability stems from improper use of Host and X-Forwarded-Host headers to compute expected request origins, enabling attackers to bypass authentication controls and potentially execute arbitrary commands through the CLI WebSocket interface. While no CVSS score, EPSS data, or active exploitation in the wild (KEV) status has been publicly disclosed, the vulnerability affects a critical Jenkins component and was responsibly disclosed by the Jenkins security team.

Technical ContextAI

The vulnerability exists in Jenkins' WebSocket CLI endpoint origin validation mechanism, which is responsible for authenticating and authorizing remote command execution requests. The root cause is an inadequate implementation of origin validation that relies on the Host or X-Forwarded-Host HTTP request headers to derive the expected origin for comparison. DNS rebinding attacks exploit this by manipulating DNS resolution to initially resolve to the attacker's server (for initial connection negotiation) and then resolve to the target Jenkins instance, causing the browser or client to make requests that appear to originate from the legitimate Jenkins host according to DNS but are actually controlled by the attacker. This is a form of authentication bypass (CWE-20: Improper Input Validation) where untrusted input from HTTP headers is used to make security decisions without proper validation. The affected CPE is cpe:2.3:a:jenkins_project:jenkins:*:*:*:*:*:*:*:*, confirming that all Jenkins versions within the affected range are impacted.

RemediationAI

Immediately upgrade Jenkins to version 2.555 or later for standard releases, or to LTS version 2.541.3 or later for Long-Term Support releases, as these versions include a fix for the origin validation vulnerability. See the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3674 for detailed upgrade instructions. As an interim mitigation, disable or restrict access to the CLI WebSocket endpoint through network controls (firewall rules, network segmentation) to limit exposure to untrusted networks, and deploy Jenkins behind a reverse proxy that performs strict origin validation independent of Host headers—specifically, configure the proxy to validate request origins against a whitelist and avoid forwarding the X-Forwarded-Host header without strict validation. Additionally, enforce HTTPS with HSTS headers and restrict CLI access to authenticated users from known IP ranges. However, these mitigations are temporary; patching should be prioritized.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2016-0792 HIGH POC
8.8 Apr 07

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex

CVE-2015-5317 HIGH
7.5 Nov 25

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j

CVE-2016-0788 CRITICAL
9.8 Apr 07

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003005 HIGH POC
8.8 Feb 06

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2019-1003030 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/

Vendor StatusVendor

Share

EUVD-2026-12845 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy