PatchSiren cyber security CVE debrief
CVE-2026-48921 Jenkins Project CVE debrief
A path traversal vulnerability in Jenkins Pipeline: Groovy Libraries Plugin allows attackers with control over shared library content to read arbitrary files on the Jenkins controller filesystem. The plugin versions 797.v90ea_a_9b_e45a_0 and earlier fail to prohibit symbolic links in shared libraries, enabling directory traversal attacks. This vulnerability is classified as HIGH severity with a CVSS score of 7.5. The issue was disclosed on May 27, 2026, with both initial publication and subsequent modification occurring on the same date. The root cause is improper link resolution (CWE-59), where symbolic links are not validated before file access operations. Attackers can exploit this by crafting malicious shared libraries containing symbolic links that point to sensitive files outside the intended library directory. Successful exploitation requires the attacker to have the ability to control shared library content used by a Pipeline job, combined with network access to the Jenkins instance. The vulnerability affects confidentiality, integrity, and availability of the Jenkins controller. Organizations should upgrade to a patched version of the Pipeline: Groovy Libraries Plugin when available, implement strict access controls on shared library repositories, and audit shared library sources for unauthorized modifications.
- Vendor
- Jenkins Project
- Product
- Jenkins Pipeline: Groovy Libraries Plugin
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Jenkins administrators managing Pipeline: Groovy Libraries Plugin installations, DevOps engineers using Jenkins shared libraries, security teams responsible for CI/CD infrastructure protection, and organizations relying on Jenkins for automated build and deployment pipelines.
Technical summary
The Jenkins Pipeline: Groovy Libraries Plugin fails to validate symbolic links within shared library directories. When a Pipeline job loads a shared library containing a symbolic link, the plugin resolves the link without checking whether the target resides outside the intended library path. This allows an attacker who can modify shared library content to create symbolic links pointing to arbitrary files on the Jenkins controller filesystem (e.g., /etc/passwd, Jenkins credentials files, or other sensitive configuration). The vulnerability requires network access to the Jenkins instance and the ability to influence shared library content, with high attack complexity due to the need for library modification privileges. The CVSS 3.1 score of 7.5 reflects HIGH impacts to confidentiality, integrity, and availability, though the attack requires low privileges and no user interaction.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Pipeline: Groovy Libraries Plugin to a version newer than 797.v90ea_a_9b_e45a_0 when a security fix is released
- Implement strict access controls and code review processes for shared library repositories
- Audit existing shared libraries for unauthorized symbolic links or suspicious modifications
- Restrict Pipeline job execution permissions to trusted users only
- Monitor Jenkins controller filesystem access patterns for anomalous file read operations
- Review Jenkins security advisory SECURITY-3727 for vendor-specific remediation guidance
Evidence notes
Vulnerability confirmed through Jenkins security advisory SECURITY-3727. CVSS 3.1 vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. CWE-59 (Improper Link Resolution Before File Access) identified as root cause. Affected versions: 797.v90ea_a_9b_e45a_0 and earlier.
Official resources
-
CVE-2026-48921 CVE record
CVE.org
-
CVE-2026-48921 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27