PatchSiren cyber security CVE debrief
CVE-2026-48922 Jenkins Project CVE debrief
A path traversal vulnerability in Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier allows attackers with job credential configuration privileges to write files to arbitrary locations on the Jenkins node filesystem. The vulnerability stems from improper sanitization of file names for file and zip file credentials. Successful exploitation can lead to remote code execution when Jenkins is configured to allow low-privileged users to configure file or zip file credentials for jobs running on the built-in node. The attack vector is network-based with high attack complexity, requiring low privileges and no user interaction. The vulnerability was disclosed on May 27, 2026, with both initial publication and subsequent modification occurring the same day. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Jenkins Project
- Product
- Jenkins Credentials Binding Plugin
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Jenkins administrators, DevOps engineers, and security teams managing CI/CD infrastructure should prioritize this vulnerability. Organizations with multi-tenant Jenkins instances or those delegating credential configuration to non-administrative users face elevated risk. Security teams should coordinate with development teams to ensure plugin updates do not disrupt build pipelines.
Technical summary
The Jenkins Credentials Binding Plugin fails to properly sanitize file names when handling file and zip file credentials. An attacker able to provide credentials to a job can craft malicious file names containing directory traversal sequences (e.g., ../) to write files outside intended directories. When combined with configurations allowing low-privileged users to configure these credentials for jobs on the built-in node, this can result in remote code execution through placement of executable files in sensitive locations. The vulnerability affects plugin version 720.v3f6decef43ea_ and earlier.
Defensive priority
high
Recommended defensive actions
- Upgrade Jenkins Credentials Binding Plugin to a version newer than 720.v3f6decef43ea_ as specified in the Jenkins security advisory
- Review Jenkins configurations where low-privileged users can configure file or zip file credentials for jobs running on the built-in node
- Audit file system permissions on Jenkins nodes to restrict unauthorized write access
- Monitor Jenkins job configurations for suspicious credential file name patterns
- Implement principle of least privilege for credential configuration permissions
- Review Jenkins security advisories regularly for plugin security updates
Evidence notes
Vulnerability description sourced from official NVD record and Jenkins security advisory. CVSS 3.1 vector confirms network attack vector with high complexity and low privilege requirements. CWE-20 (Improper Input Validation) identified as secondary weakness classification.
Official resources
-
CVE-2026-48922 CVE record
CVE.org
-
CVE-2026-48922 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
public