PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-57281 Jenkins CVE debrief

The CVE-2026-57281 vulnerability affects the Jenkins Script Security Plugin, specifically versions 1402.v94c9ce464861 and earlier. This plugin does not reject Groovy AST transformation annotations carrying an extensions member, which allows attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The CVE was published on 2026-06-24T14:17:34.023Z and last modified on 2026-06-30T03:21:04.843Z. To address this vulnerability, users should update to a patched version of the plugin.

Vendor
Jenkins
Product
Script Security
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-24
Original CVE updated
2026-06-30
Advisory published
2026-06-24
Advisory updated
2026-06-30

Who should care

Administrators and users of Jenkins instances with the Script Security Plugin installed should be aware of this vulnerability. This vulnerability could allow an attacker to execute code outside the sandbox, potentially leading to unauthorized access or modifications. Therefore, it is crucial for Jenkins administrators to assess their exposure and take necessary actions to mitigate the risk.

Technical summary

The Jenkins Script Security Plugin vulnerability (CVE-2026-57281) arises from the plugin's failure to reject Groovy AST transformation annotations with an extensions member. This oversight enables attackers who can run sandboxed Groovy scripts to execute code outside the sandbox, provided a suitable script is on the classpath of the evaluating component. The vulnerability's CVSS vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a high severity level. The Common Weakness Enumeration (CWE) identifiers associated with this vulnerability include CWE-93, CWE-693, and CWE-917.

Defensive priority

High priority should be given to updating the Jenkins Script Security Plugin to a version that addresses this vulnerability. Administrators should review their Jenkins instance configurations and ensure that all necessary patches are applied to prevent potential exploitation.

Recommended defensive actions

  • Update the Jenkins Script Security Plugin to the latest version.
  • Review and adjust Jenkins instance configurations to ensure security.
  • Monitor Jenkins instances for suspicious activity.
  • Implement additional security measures to detect and prevent sandbox escapes.
  • Verify that all Groovy scripts and plugins are up-to-date and compliant with security policies.

Evidence notes

The CVE-2026-57281 vulnerability details were obtained from the official CVE record and the National Vulnerability Database (NVD). The vulnerability affects Jenkins Script Security Plugin versions 1402.v94c9ce464861 and earlier. The CVSS score and vector were provided by the NVD. Additional information was gathered from vendor advisories and related sources.

Official resources

This article is AI-assisted and based on the supplied source corpus.