Platform
jenkins
Component
org.jenkins-ci.main:jenkins-core
Fixed in
2.426.3
2.442
2.541.3
2.555
CVE-2026-33002 is a security vulnerability affecting Jenkins Core versions up to 2.554, including LTS versions 2.426.3 through 2.541.2. This vulnerability allows attackers to bypass origin validation in the CLI WebSocket endpoint through DNS rebinding attacks. Successful exploitation could lead to unauthorized access and potential compromise of the Jenkins instance. A fix is available in version 2.555.
The core of this vulnerability lies in Jenkins' origin validation mechanism for the CLI WebSocket endpoint. Instead of directly validating the origin header, Jenkins calculates the expected origin based on the Host or X-Forwarded-Host HTTP request headers. A DNS rebinding attack exploits this by manipulating DNS resolution to make a malicious domain appear to resolve to the Jenkins server's IP address. This allows an attacker to craft requests with a seemingly legitimate origin, bypassing the validation and potentially gaining unauthorized access to sensitive data and functionality within the Jenkins environment. The potential impact includes unauthorized code execution, data breaches, and compromise of the entire CI/CD pipeline.
CVE-2026-33002 was publicly disclosed on 2026-03-18. While no public proof-of-concept (PoC) has been released as of this writing, the DNS rebinding technique is well-understood and readily exploitable. The EPSS score is likely to be assessed as medium due to the ease of exploitation and the potential impact on CI/CD pipelines. It has not yet been added to the CISA KEV catalog.
Exploit Status
EPSS
0.05% (15% percentile)
CVSS Vector
The primary mitigation for CVE-2026-33002 is to upgrade Jenkins Core to version 2.555 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. One approach is to configure a Web Application Firewall (WAF) or reverse proxy to strictly enforce origin validation rules, rejecting requests with unexpected or suspicious origins. Additionally, review and restrict access to the CLI WebSocket endpoint, limiting it to trusted networks and users. Monitor Jenkins logs for unusual origin patterns that might indicate an attempted DNS rebinding attack.
Update Jenkins to version 2.555 or later, or to version LTS 2.541.3 or later. This corrects the origin validation vulnerability in the CLI WebSocket endpoint, preventing DNS rebinding attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33002 is a HIGH severity vulnerability in Jenkins Core versions up to 2.554 that allows attackers to bypass origin validation via DNS rebinding, potentially leading to unauthorized access.
If you are running Jenkins Core versions 2.442 through 2.554, or LTS versions 2.426.3 through 2.541.2, you are affected by this vulnerability.
Upgrade Jenkins Core to version 2.555 or later to resolve this vulnerability. If immediate upgrade is not possible, implement WAF rules to enforce origin validation.
While no active exploitation has been confirmed, the vulnerability is readily exploitable and the potential impact is significant, so proactive mitigation is recommended.
Refer to the official Jenkins security advisory for CVE-2026-33002 on the Jenkins website: [https://www.jenkins.io/security/advisories/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.