Plattform
jenkins
Komponente
org.jenkins-ci.main:jenkins-core
Behoben in
2.426.3
2.442
2.541.3
2.555
CVE-2026-33002 affects Jenkins Core versions 2.442 through 2.554, and LTS versions 2.426.3 through 2.541.2. This vulnerability stems from insufficient origin validation within the CLI WebSocket endpoint, enabling attackers to exploit DNS rebinding techniques. Successful exploitation can lead to unauthorized access and potential compromise of the Jenkins instance. Upgrade to version 2.555 to resolve this issue.
The core of this vulnerability lies in Jenkins' origin validation process for the CLI WebSocket endpoint. Normally, Jenkins should verify that requests originate from the expected domain. However, CVE-2026-33002 allows an attacker to manipulate this validation by leveraging DNS rebinding. This technique involves controlling a domain name that initially resolves to the attacker's server, then, through DNS manipulation, resolves to the Jenkins server's IP address. This bypasses the origin check, allowing the attacker to send malicious requests as if they originated from Jenkins itself. The potential impact includes unauthorized code execution, data exfiltration, and complete system compromise, particularly if sensitive credentials or build artifacts are accessible through the Jenkins interface. While not directly analogous to Log4Shell, the ability to bypass security controls and gain unauthorized access shares a similar risk profile.
CVE-2026-33002 was published on March 18, 2026. Its severity is currently assessed as HIGH (CVSS 7.5). There is no indication of this CVE being listed on KEV or having an EPSS score at this time. Public proof-of-concept (POC) code is currently unavailable, but the DNS rebinding technique is well-understood and readily exploitable. Active campaigns targeting this vulnerability are not yet reported, but the ease of exploitation suggests it may become a target for opportunistic attackers.
Organizations heavily reliant on Jenkins for their CI/CD pipelines are particularly at risk. Environments with exposed Jenkins instances or those using shared hosting configurations are also more vulnerable. Any deployment pattern where the Jenkins server's IP address is accessible from untrusted networks should be considered at risk.
• java / server: Monitor Jenkins logs for unusual origin headers or unexpected WebSocket connections. Use a network intrusion detection system (NIDS) to detect DNS rebinding attempts targeting the Jenkins server. • generic web: Use curl to test the CLI WebSocket endpoint with manipulated Host headers to attempt origin bypass.
curl -H "Host: malicious.example.com" http://jenkins-server/clidisclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2026-33002 is upgrading Jenkins Core to version 2.555 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. One approach is to configure a Web Application Firewall (WAF) or reverse proxy to strictly enforce origin validation rules, rejecting requests with unexpected or manipulated Host headers. Another workaround involves restricting access to the CLI WebSocket endpoint to trusted networks or IP addresses. Carefully review Jenkins' configuration and ensure that X-Forwarded-Host header is not being used for origin validation. After upgrading, verify the fix by attempting a DNS rebinding attack against the CLI WebSocket endpoint using a tool like bettercap or similar DNS rebinding testing frameworks to confirm that origin validation is correctly enforced.
Actualice Jenkins a la versión 2.555 o superior, o a la versión LTS 2.541.3 o superior. Esto corrige la vulnerabilidad de validación de origen en el endpoint CLI WebSocket, previniendo ataques de DNS rebinding.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33002 is a HIGH severity vulnerability in Jenkins Core versions up to 2.554 that allows attackers to bypass origin validation via DNS rebinding, potentially leading to unauthorized access.
If you are running Jenkins Core versions 2.442 through 2.554, or LTS versions 2.426.3 through 2.541.2, you are affected by this vulnerability.
Upgrade Jenkins Core to version 2.555 or later to resolve this vulnerability. If immediate upgrade is not possible, implement WAF rules to enforce origin validation.
While no active exploitation has been confirmed, the vulnerability is readily exploitable and the potential impact is significant, so proactive mitigation is recommended.
Refer to the official Jenkins security advisory for CVE-2026-33002 on the Jenkins website: [https://www.jenkins.io/security/advisories/]
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.