PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53435 Jenkins Project CVE debrief

CVE-2026-53435 is a high-severity vulnerability in Jenkins, a popular automation server. The vulnerability has a CVSS score of 8.8 and was published on [cvePublishedAt]. It affects Jenkins versions 2.567 and earlier, as well as LTS versions 2.555.2 and earlier. The vulnerability allows attackers to deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission. This can be used to impersonate any user and send HTTP requests on their behalf, potentially leading to code execution or unauthorized file access.

Vendor
Jenkins Project
Product
Jenkins
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-11
Advisory published
2026-06-10
Advisory updated
2026-06-11

Who should care

Administrators and users of Jenkins instances, particularly those using versions 2.567 and earlier or LTS 2.555.2 and earlier, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is caused by a deserialization issue in Jenkins. When an attacker submits a malicious `config.xml` file, Jenkins can deserialize arbitrary types, allowing the attacker to handle HTTP requests on behalf of any user. This can lead to impersonation, code execution, or unauthorized file access.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Jenkins version 2.568 or later, or LTS 2.555.3 or later.
  • Restrict access to the Jenkins instance to prevent unauthorized submissions of `config.xml` files.
  • Monitor Jenkins instance logs for suspicious activity.

Evidence notes

The CVE record and NVD detail pages provide additional information about the vulnerability, including its CVSS score and affected versions.

Official resources

CVE-2026-53435 was published on 2026-06-10T14:16:36.440Z and modified on 2026-06-11T13:26:14.093Z.