Critical Jenkins Flaws Expose CI/CD Servers to Remote Code Execution

The Jenkins project has released a critical security advisory addressing multiple vulnerabilities that could lead to full system compromise. The advisory highlights two high-severity flaws in the Jenkins core and a credential-handling issue in a popular third-party plugin.

As a backbone of global CI/CD pipelines, these Jenkins vulnerabilities represent a major risk for DevOps teams, potentially allowing attackers to inject malicious code directly into the heart of the software development lifecycle.

The most direct threat involves a “High” severity arbitrary file creation vulnerability (CVE-2026-33001). Jenkins versions 2.554 and earlier—as well as LTS 2.541.2 and earlier—fail to safely handle symbolic links when extracting .tar or .tar.gz archives.

“This allows crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins”.

For archives extracted on the controller, the impact is severe. Attackers can achieve remote code execution (RCE) by “writing malicious scripts to the JENKINS_HOME/init.groovy.d/ directory” or deploying rogue plugins. This exploit is particularly dangerous as it can be triggered by anyone with “Item/Configure” permissions or those able to control agent processes.

A second “High” severity flaw (CVE-2026-33002) targets the Jenkins Command Line Interface (CLI) when accessed via WebSockets. Jenkins was found to use insecure HTTP request headers to validate the origin of these connections, leaving a door open for DNS rebinding attacks.

“By causing a victim to visit a malicious website that uses DNS rebinding to resolve to the Jenkins controller’s IP address, attackers can establish a WebSocket connection to the CLI endpoint from an untrusted origin and execute CLI commands as the anonymous user”.

If the anonymous user has been granted permissions—or if the server uses a “Anyone can do anything” strategy—attackers can use Groovy scripting commands to execute arbitrary code.

In addition to the core fixes, the LoadNinja Plugin (v2.1 and earlier) was found to be leaking sensitive data (CVE-2026-33003, CVE-2026-33004). The plugin “stores LoadNinja API keys unencrypted in job config.xml files” and fails to mask them in the web interface. These keys can be easily captured by any user with “Item/Extended Read” permission.

Administrators are urged to upgrade their instances immediately. Jenkins has released the following patches to close these gaps:

• Jenkins Weekly: Update to version 2.555.
• Jenkins LTS: Update to version 2.541.3.
• LoadNinja Plugin: Update to version 2.2.

If an immediate update is not possible for the CLI vulnerability, administrators should “set up authentication for their Jenkins controller and remove permissions from the anonymous user”.