PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33001 Jenkins Project CVE debrief

CVE-2026-33001 is a high-severity vulnerability in Jenkins that allows attackers to write files to arbitrary locations on the filesystem using crafted .tar and .tar.gz archives. This vulnerability affects Jenkins versions 2.554 and earlier, as well as LTS versions 2.541.2 and earlier. An attacker with Item/Configure permission or control over agent processes can exploit this vulnerability to deploy malicious scripts or plugins on the controller. The vulnerability has a CVSS score of 8.8 and is considered HIGH severity. The issue is caused by Jenkins not safely handling symbolic links during archive extraction, allowing attackers to bypass file system access permissions.

Vendor
Jenkins Project
Product
Jenkins
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-06-30
Advisory published
2026-03-18
Advisory updated
2026-06-30

Who should care

Administrators and users of Jenkins versions 2.554 and earlier, or LTS versions 2.541.2 and earlier, should be aware of this vulnerability and take immediate action to mitigate it. This vulnerability can be exploited by attackers with Item/Configure permission or control over agent processes, making it a high-risk issue for Jenkins installations. Additionally, security teams and incident response teams should be aware of this vulnerability and monitor for potential exploitation attempts.

Technical summary

The vulnerability is caused by Jenkins not properly handling symbolic links during the extraction of .tar and .tar.gz archives. This allows attackers to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. An attacker with Item/Configure permission or control over agent processes can exploit this vulnerability to deploy malicious scripts or plugins on the controller. The vulnerability has a CVSS score of 8.8 and is considered HIGH severity. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

This vulnerability has a high defensive priority due to its high CVSS score and potential impact on Jenkins installations. Administrators should prioritize patching or mitigating this vulnerability as soon as possible to prevent potential exploitation.

Recommended defensive actions

  • Update Jenkins to version 2.555 or later, or LTS version 2.541.3 or later.
  • Restrict access to Jenkins to only trusted users and limit permissions to prevent exploitation.
  • Monitor Jenkins installations for potential exploitation attempts and anomalous activity.
  • Implement additional security controls, such as file system access controls and monitoring, to detect and prevent potential exploitation.
  • Review and update incident response plans to address potential exploitation of this vulnerability.

Evidence notes

The evidence for this vulnerability comes from the official CVE record and the NVD detail page. The CVE record provides a brief description of the vulnerability, while the NVD detail page provides additional information, including the CVSS score and vector. Additional references, including vendor advisories and source references, are also available.

Official resources

This article is AI-assisted and based on the supplied source corpus.