Do Son 
Attackers are already abusing a critical Jenkins RCE vulnerability in the wild. Tracked as CVE-2026-53435, the flaw lets them run arbitrary code on Jenkins controllers. Worse still, honeypots are catching live attacks.
How the flaw works
The bug lives in how Jenkins handles a submitted config.xml file. Specifically, the server deserializes attacker-controlled types from that submission. As a result, an attacker can hijack the request flow afterward.
From there, the impact turns severe. An attacker can impersonate any user and send HTTP requests on their behalf. Moreover, they can reach the Script Console to execute code or read sensitive files from the controller. The issue carries a CVSS score of 8.8.
Attacks are happening now
This is not a theoretical risk. The threat-intelligence firm Defused reports that its honeypots began logging exploitation attempts within hours of disclosure. You can review their in-the-wild observations on X, which tie the activity directly to CVE-2026-53435.
Because Jenkins sits at the heart of many CI/CD pipelines, a single compromise can ripple across the software supply chain. Therefore, exposed controllers make an especially high-value target.
What to do
Patch immediately. The affected builds are Jenkins 2.567 and earlier, plus LTS 2.555.2 and earlier. Consequently, every team on those versions should upgrade to the fixed release without delay. The same June 10 advisory also resolves two open-redirect flaws, CVE-2026-53436 and CVE-2026-53437, though neither matches this bug’s severity.
If you cannot update right away, restrict network access to your controller. Additionally, audit user accounts and the Script Console for signs of abuse. Attackers are exploiting this Jenkins RCE vulnerability today, so treat the fix as urgent.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
