Jenkins has a link following vulnerability allows arbitrary file creation

GHSA-r6qv-frpc-q66c · BIT-jenkins-2026-33001 · CVE-2026-33001

Published Mar 18, 2026 · Modified Jun 4, 2026

Description

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.
This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33001
WEB https://github.com/jenkinsci/jenkins/commit/6dc99937605d5bddfeaae43a4cd14c2571e23adc
PACKAGE https://github.com/jenkinsci/jenkins
WEB https://github.com/jenkinsci/jenkins/releases/tag/jenkins-2.555
WEB https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes