Skip to main content

Jenkins External Workspace Manager Plugin EUVDEUVD-2026-38777

| CVE-2026-57296 HIGH
Path Traversal (CWE-22)
2026-06-24 jenkins GHSA-hrmj-8fm9-cg8x
8.8
CVSS 3.1 · Vendor: jenkins
Share

Severity by source

Vendor (jenkins) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable Pipeline step with low complexity but requires Item/Configure (PR:L); arbitrary controller file read plus vendor-noted RCE path justifies C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (jenkins).

CVSS VectorVendor: jenkins

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 24, 2026 - 16:23 vuln.today
CVSS changed
Jun 24, 2026 - 16:22 NVD
8.8 (None) 8.8 (HIGH)
CVE Published
Jun 24, 2026 - 13:20 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 13:20 cve.org
HIGH 8.8

DescriptionCVE.org

Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with Item/Configure permission to read arbitrary files on the Jenkins controller file system, which can lead to remote code execution.

AnalysisAI

Path traversal in the Jenkins External Workspace Manager Plugin (versions 1.3.2 and earlier) lets an attacker with Item/Configure permission supply traversal sequences in the custom workspace path of the exwsAllocate Pipeline step to read arbitrary files from the Jenkins controller filesystem, which the vendor notes can escalate to remote code execution. The flaw requires an authenticated low-privileged user (CVSS:3.1 PR:L, base 8.8) and is reported directly by the Jenkins security team. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with Item/Configure rights
Delivery
Add exwsAllocate step with traversal path
Exploit
Run pipeline to read controller files
Execution
Exfiltrate credentials/secret keys
Impact
Achieve remote code execution on controller

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold Jenkins Item/Configure permission, allowing them to define or modify a Pipeline that invokes the exwsAllocate step, and to supply a malicious custom workspace path containing path traversal sequences - this is an authenticated attack, not unauthenticated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderately consistent toward a real but gated risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer with Item/Configure permission (or an attacker who has phished such an account) edits or creates a Pipeline job that calls exwsAllocate with a custom workspace path containing '../../' sequences pointing at sensitive controller files such as credentials.xml or the master key. When the pipeline runs, the plugin resolves the traversal and reads those files back, which the attacker can then use to recover credentials and pivot to remote code execution on the controller. …
Remediation Apply the fix described in the Jenkins security advisory SECURITY-3777 (https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3777); the input data does not include an exact fixed version number, so treat the patch as 'available per vendor advisory' and upgrade to the version designated as fixed in that advisory rather than an assumed number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Jenkins installations running External Workspace Manager Plugin version 1.3.2 or earlier and determine operational necessity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38777 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy