PatchSiren cyber security CVE debrief
CVE-2026-57281 Jenkins CVE debrief
The CVE-2026-57281 vulnerability affects the Jenkins Script Security Plugin, specifically versions 1402.v94c9ce464861 and earlier. This plugin does not reject Groovy AST transformation annotations carrying an extensions member, which allows attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The CVE was published on 2026-06-24T14:17:34.023Z and last modified on 2026-06-30T03:21:04.843Z. To address this vulnerability, users should update to a patched version of the plugin.
- Vendor
- Jenkins
- Product
- Script Security
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-24
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-06-24
- Advisory updated
- 2026-06-30
Who should care
Administrators and users of Jenkins instances with the Script Security Plugin installed should be aware of this vulnerability. This vulnerability could allow an attacker to execute code outside the sandbox, potentially leading to unauthorized access or modifications. Therefore, it is crucial for Jenkins administrators to assess their exposure and take necessary actions to mitigate the risk.
Technical summary
The Jenkins Script Security Plugin vulnerability (CVE-2026-57281) arises from the plugin's failure to reject Groovy AST transformation annotations with an extensions member. This oversight enables attackers who can run sandboxed Groovy scripts to execute code outside the sandbox, provided a suitable script is on the classpath of the evaluating component. The vulnerability's CVSS vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a high severity level. The Common Weakness Enumeration (CWE) identifiers associated with this vulnerability include CWE-93, CWE-693, and CWE-917.
Defensive priority
High priority should be given to updating the Jenkins Script Security Plugin to a version that addresses this vulnerability. Administrators should review their Jenkins instance configurations and ensure that all necessary patches are applied to prevent potential exploitation.
Recommended defensive actions
- Update the Jenkins Script Security Plugin to the latest version.
- Review and adjust Jenkins instance configurations to ensure security.
- Monitor Jenkins instances for suspicious activity.
- Implement additional security measures to detect and prevent sandbox escapes.
- Verify that all Groovy scripts and plugins are up-to-date and compliant with security policies.
Evidence notes
The CVE-2026-57281 vulnerability details were obtained from the official CVE record and the National Vulnerability Database (NVD). The vulnerability affects Jenkins Script Security Plugin versions 1402.v94c9ce464861 and earlier. The CVSS score and vector were provided by the NVD. Additional information was gathered from vendor advisories and related sources.
Official resources
-
CVE-2026-57281 CVE record
CVE.org
-
CVE-2026-57281 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.