Do Son 
TL;DR
Jenkins published a security advisory on 24 June 2026. It covers 22 Jenkins plugin vulnerabilities across 18 plugins. Several can lead to remote code execution on the Jenkins controller. Five issues still have no fix.
Why It Matters
Jenkins sits at the heart of many software pipelines. Therefore, one compromised controller can expose source code and secrets. The controller often holds cloud keys and signing credentials. So attackers prize this single point of control. These Jenkins plugin vulnerabilities hand attackers several new paths in.
The Jenkins project fixed most issues through its bug bounty program. The European Commission sponsors that program.
How the Attacks Work
Sandbox bypass leads to code execution
The most serious bug (CVE-2026-57281) is a sandbox bypass in the Script Security Plugin. That sandbox is meant to run user scripts safely. However, it missed an implicit type cast inside typed for-each loops. As a result, a crafted script can call arbitrary constructors. This lets a low-privileged user run code on the controller. A second sandbox bypass abuses Groovy annotations, though Jenkins rates real-world abuse as very unlikely.
File reads and RCE in other plugins
Two more High flaws expose the controller’s file system. The External Workspace Manager Plugin fails (CVE-2026-57296) to reject “..” path segments. So an attacker with Item/Configure access can read arbitrary files. That access can then escalate to code execution. Separately, the OWASP ZAP Plugin (CVE-2026-57301) runs builds on the controller instead of an agent. This also opens a route to code execution.
Permission and CSRF gaps
Most other issues involve missing permission checks or CSRF gaps. Many endpoints accept GET requests and skip access control. Attackers could then enumerate credentials, branches, or server URLs. These gaps touch many connectors. Affected plugins include Gitee, EC2 Fleet, Contrast, and Bitbucket. Some let a low-privileged user capture stored credentials. Others expose AWS keys or repository metadata. One Assembla flaw also enables an XXE attack with no current fix.
Affected Versions
The flaws affect the listed plugins at or below the noted releases. For example, Script Security Plugin 1402.v94c9ce464861 and earlier carries the sandbox bypass. Git client Plugin 6.6.0 and earlier also holds a command injection bug. All earlier plugin versions count as affected unless the advisory notes otherwise. The advisory lists exact versions for each affected plugin.
Exploitation Status
Jenkins has not reported active exploitation of these flaws. Likewise, no public proof-of-concept exists for them yet. Still, public CVE records now describe each bug. So defenders should patch quickly.
Patch and Mitigation
Patching these Jenkins plugin vulnerabilities is the clear next step. Update each affected plugin to its fixed version now. For instance, upgrade Script Security Plugin to 1402.1405.vc96e74964250. Also move External Workspace Manager Plugin to 1.4.0. Test plugin updates in staging before production rollout. Then purge any cached script approvals you do not recognize.
Five issues across four plugins ship without a fix. These include the OWASP ZAP, FitNesse, Assembla, and Zowe zDevOps plugins. For those, restrict access or remove the plugin until a fix lands. Also tighten permissions like Item/Configure and Overall/Read across the board. Finally, keep the Jenkins controller off the public internet.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
