Plattform
jenkins
Komponente
org.jenkins-ci.main:jenkins-core
Behoben in
2.541.1
2.555
CVE-2026-33001 is an Arbitrary File Access vulnerability discovered in Jenkins Core. This flaw allows attackers to write files to arbitrary locations on the Jenkins controller's filesystem, potentially leading to malicious script deployment or plugin installation. The vulnerability affects versions of Jenkins Core up to and including 2.99, but is resolved in version 2.555.
The primary impact of CVE-2026-33001 lies in the ability of an attacker to write files to the Jenkins controller. This is achieved by crafting malicious .tar or .tar.gz archives that exploit Jenkins's unsafe handling of symbolic links during extraction. An attacker with Item/Configure permission, or control over agent processes, can leverage this to deploy malicious scripts or plugins. Successful exploitation could allow an attacker to gain persistent access to the Jenkins environment, steal sensitive data, or even pivot to other systems on the network. The blast radius extends to any system accessible from the compromised Jenkins controller, particularly if agents are involved. This vulnerability shares similarities with other archive extraction vulnerabilities where improper handling of file paths can lead to arbitrary file writes.
CVE-2026-33001 was published on 2026-03-18. Its severity is rated as HIGH with a CVSS score of 8.8. Currently, there are no publicly known active campaigns exploiting this vulnerability. While no public Proof-of-Concept (PoC) exploits have been widely released, the nature of the vulnerability suggests that it is likely to attract attention from malicious actors. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of exploitation in the short term, but vigilance is still advised.
Organizations heavily reliant on Jenkins for continuous integration and delivery are particularly at risk. Environments with lax file system permissions for the Jenkins user, or those utilizing Jenkins agents with broad access privileges, face a heightened threat. Shared hosting environments where multiple users have access to the Jenkins instance are also vulnerable.
• linux / server:
find /var/lib/jenkins/.jenkins/war/WEB-INF/lib -name '*.jar' -print0 | xargs -0 grep -i 'org.jenkins-ci.main:jenkins-core'• java / supply-chain: Examine Jenkins plugin dependencies for versions prior to 2.555. Check for unusual file creation patterns in Jenkins logs. • generic web: Monitor Jenkins access logs for unusual file upload activity, particularly involving .tar and .tar.gz archives.
disclosure
Exploit-Status
EPSS
0.12% (31% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2026-33001 is to upgrade Jenkins Core to version 2.555 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. Restrict file system access permissions for the user running Jenkins to minimize the potential impact of a successful exploit. Implement strict input validation on any archives uploaded to Jenkins, specifically scrutinizing file paths and symbolic links. Consider using a Web Application Firewall (WAF) or proxy to filter potentially malicious archive files before they reach Jenkins. After upgrading, verify the fix by attempting to upload a crafted archive containing symbolic links and confirming that the extraction process fails safely, preventing arbitrary file writes.
Actualice Jenkins a la versión 2.555 o superior, o a la versión 2.541.3 o superior de la línea LTS. Esto corrige la vulnerabilidad en el manejo de enlaces simbólicos durante la extracción de archivos .tar y .tar.gz. La actualización evitará que atacantes con permisos Item/Configure o control sobre procesos de agente desplieguen scripts o plugins maliciosos en el controlador.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33001 is a HIGH severity vulnerability in Jenkins Core versions ≤2.99 that allows attackers to write files to arbitrary locations on the Jenkins controller's filesystem.
If you are running Jenkins Core versions 2.554 or earlier, or LTS versions 2.541.2 or earlier, you are affected by this vulnerability.
Upgrade Jenkins Core to version 2.555 or later to remediate the vulnerability. Consider restricting file system access permissions as an interim measure.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for future attacks.
Refer to the official Jenkins security advisory at [https://www.jenkins.io/security/advisories/](https://www.jenkins.io/security/advisories/) for detailed information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.