PatchSiren cyber security CVE debrief
CVE-2026-33001 Jenkins Project CVE debrief
CVE-2026-33001 is a high-severity vulnerability in Jenkins that allows attackers to write files to arbitrary locations on the filesystem using crafted .tar and .tar.gz archives. This vulnerability affects Jenkins versions 2.554 and earlier, as well as LTS versions 2.541.2 and earlier. An attacker with Item/Configure permission or control over agent processes can exploit this vulnerability to deploy malicious scripts or plugins on the controller. The vulnerability has a CVSS score of 8.8 and is considered HIGH severity. The issue is caused by Jenkins not safely handling symbolic links during archive extraction, allowing attackers to bypass file system access permissions.
- Vendor
- Jenkins Project
- Product
- Jenkins
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-18
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-18
- Advisory updated
- 2026-06-30
Who should care
Administrators and users of Jenkins versions 2.554 and earlier, or LTS versions 2.541.2 and earlier, should be aware of this vulnerability and take immediate action to mitigate it. This vulnerability can be exploited by attackers with Item/Configure permission or control over agent processes, making it a high-risk issue for Jenkins installations. Additionally, security teams and incident response teams should be aware of this vulnerability and monitor for potential exploitation attempts.
Technical summary
The vulnerability is caused by Jenkins not properly handling symbolic links during the extraction of .tar and .tar.gz archives. This allows attackers to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. An attacker with Item/Configure permission or control over agent processes can exploit this vulnerability to deploy malicious scripts or plugins on the controller. The vulnerability has a CVSS score of 8.8 and is considered HIGH severity. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Defensive priority
This vulnerability has a high defensive priority due to its high CVSS score and potential impact on Jenkins installations. Administrators should prioritize patching or mitigating this vulnerability as soon as possible to prevent potential exploitation.
Recommended defensive actions
- Update Jenkins to version 2.555 or later, or LTS version 2.541.3 or later.
- Restrict access to Jenkins to only trusted users and limit permissions to prevent exploitation.
- Monitor Jenkins installations for potential exploitation attempts and anomalous activity.
- Implement additional security controls, such as file system access controls and monitoring, to detect and prevent potential exploitation.
- Review and update incident response plans to address potential exploitation of this vulnerability.
Evidence notes
The evidence for this vulnerability comes from the official CVE record and the NVD detail page. The CVE record provides a brief description of the vulnerability, while the NVD detail page provides additional information, including the CVSS score and vector. Additional references, including vendor advisories and source references, are also available.
Official resources
-
CVE-2026-33001 CVE record
CVE.org
-
CVE-2026-33001 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.