Platform
jenkins
Component
org.jenkins-ci.main:jenkins-core
Fixed in
2.541.1
2.555
CVE-2026-33001 is an Arbitrary File Access vulnerability discovered in Jenkins Core. This flaw allows attackers to write files to arbitrary locations on the Jenkins controller's filesystem, potentially leading to malicious script deployment or plugin installation. The vulnerability affects versions of Jenkins Core up to and including 2.99, but is resolved in version 2.555.
An attacker who can exploit CVE-2026-33001 can achieve remote code execution on the Jenkins controller. This is achieved by crafting malicious .tar or .tar.gz archives that leverage symbolic links to write files outside of the intended extraction directory. Successful exploitation requires the attacker to have Item/Configure permissions within Jenkins, or the ability to control agent processes. The potential impact is significant, as an attacker could compromise the entire Jenkins environment, steal sensitive data, or pivot to other systems on the network. This vulnerability shares similarities with other archive extraction vulnerabilities where improper handling of symbolic links can lead to arbitrary file writes.
CVE-2026-33001 was publicly disclosed on 2026-03-18. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the nature of the vulnerability suggests a moderate likelihood of exploitation given its relatively straightforward exploitation path. The NVD entry was published on the same date as the public disclosure.
Exploit Status
EPSS
0.12% (31% percentile)
CVSS Vector
The primary mitigation for CVE-2026-33001 is to upgrade Jenkins Core to version 2.555 or later. If an immediate upgrade is not possible, consider restricting file system access permissions for the Jenkins user to minimize the potential impact of a successful exploit. Additionally, implement input validation on any archives uploaded to Jenkins to prevent the inclusion of malicious symbolic links. While not a direct fix, configuring Jenkins to run in a containerized environment with restricted file system access can also limit the blast radius of a potential compromise. After upgrade, confirm by attempting to upload a test archive containing a symbolic link and verifying that it is rejected.
Update Jenkins to version 2.555 or later, or to version 2.541.3 or later of the LTS line. This corrects the vulnerability in the handling of symbolic links during the extraction of .tar and .tar.gz files. The update will prevent attackers with Item/Configure permissions or control over agent processes from deploying malicious scripts or plugins on the controller.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33001 is a HIGH severity vulnerability in Jenkins Core versions ≤2.99 that allows attackers to write files to arbitrary locations on the Jenkins controller's filesystem.
If you are running Jenkins Core versions 2.554 or earlier, or LTS versions 2.541.2 or earlier, you are affected by this vulnerability.
Upgrade Jenkins Core to version 2.555 or later to remediate the vulnerability. Consider restricting file system access permissions as an interim measure.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for future attacks.
Refer to the official Jenkins security advisory at [https://www.jenkins.io/security/advisories/](https://www.jenkins.io/security/advisories/) for detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.