प्लेटफ़ॉर्म
jenkins
घटक
org.jenkins-ci.main:jenkins-core
में ठीक किया गया
2.426.3
2.442
2.541.3
2.555
CVE-2026-33002 is a security vulnerability affecting Jenkins Core versions up to 2.554, including LTS versions 2.426.3 through 2.541.2. This vulnerability allows attackers to bypass origin validation in the CLI WebSocket endpoint through DNS rebinding attacks. Successful exploitation could lead to unauthorized access and potential compromise of the Jenkins instance. A fix is available in version 2.555.
The core of this vulnerability lies in Jenkins' origin validation mechanism for the CLI WebSocket endpoint. Instead of directly validating the origin header, Jenkins calculates the expected origin based on the Host or X-Forwarded-Host HTTP request headers. A DNS rebinding attack exploits this by manipulating DNS resolution to make a malicious domain appear to resolve to the Jenkins server's IP address. This allows an attacker to craft requests with a seemingly legitimate origin, bypassing the validation and potentially gaining unauthorized access to sensitive data and functionality within the Jenkins environment. The potential impact includes unauthorized code execution, data breaches, and compromise of the entire CI/CD pipeline.
CVE-2026-33002 was publicly disclosed on 2026-03-18. While no public proof-of-concept (PoC) has been released as of this writing, the DNS rebinding technique is well-understood and readily exploitable. The EPSS score is likely to be assessed as medium due to the ease of exploitation and the potential impact on CI/CD pipelines. It has not yet been added to the CISA KEV catalog.
Organizations heavily reliant on Jenkins for their CI/CD pipelines are particularly at risk. Environments with exposed Jenkins instances or those using shared hosting configurations are also more vulnerable. Any deployment pattern where the Jenkins server's IP address is accessible from untrusted networks should be considered at risk.
• java / server: Monitor Jenkins logs for unusual origin headers or unexpected WebSocket connections. Use a network intrusion detection system (NIDS) to detect DNS rebinding attempts targeting the Jenkins server. • generic web: Use curl to test the CLI WebSocket endpoint with manipulated Host headers to attempt origin bypass.
curl -H "Host: malicious.example.com" http://jenkins-server/clidisclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (15% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2026-33002 is to upgrade Jenkins Core to version 2.555 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. One approach is to configure a Web Application Firewall (WAF) or reverse proxy to strictly enforce origin validation rules, rejecting requests with unexpected or suspicious origins. Additionally, review and restrict access to the CLI WebSocket endpoint, limiting it to trusted networks and users. Monitor Jenkins logs for unusual origin patterns that might indicate an attempted DNS rebinding attack.
Actualice Jenkins a la versión 2.555 o superior, o a la versión LTS 2.541.3 o superior. Esto corrige la vulnerabilidad de validación de origen en el endpoint CLI WebSocket, previniendo ataques de DNS rebinding.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-33002 is a HIGH severity vulnerability in Jenkins Core versions up to 2.554 that allows attackers to bypass origin validation via DNS rebinding, potentially leading to unauthorized access.
If you are running Jenkins Core versions 2.442 through 2.554, or LTS versions 2.426.3 through 2.541.2, you are affected by this vulnerability.
Upgrade Jenkins Core to version 2.555 or later to resolve this vulnerability. If immediate upgrade is not possible, implement WAF rules to enforce origin validation.
While no active exploitation has been confirmed, the vulnerability is readily exploitable and the potential impact is significant, so proactive mitigation is recommended.
Refer to the official Jenkins security advisory for CVE-2026-33002 on the Jenkins website: [https://www.jenkins.io/security/advisories/]
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।