Jenkins has a DNS rebinding vulnerability in WebSocket CLI origin validation

GHSA-phhv-63fh-rrc8 · BIT-jenkins-2026-33002 · CVE-2026-33002

Published Mar 18, 2026 · Modified Apr 16, 2026

Description

Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33002
WEB https://github.com/jenkinsci/jenkins/commit/348666da7136ef8270f88c0a7350562b0ba7f8ce
PACKAGE https://github.com/jenkinsci/jenkins
WEB https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3674

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes