Critical Jenkins Vulnerabilities Enable Remote Code Execution on CI/CD Servers

The Jenkins project has issued a critical security advisory addressing multiple vulnerabilities in its core automation server and the LoadNinja plugin, exposing CI/CD environments to high-impact attacks, including arbitrary file creation, credential leakage, and remote code execution (RCE).

Given Jenkins’s central role in enterprise build pipelines and its frequent deployment with elevated privileges, successful exploitation could allow attackers to pivot across internal systems, tamper with builds, or fully compromise production workflows.

Security teams are strongly urged to prioritize patching to mitigate immediate risk.

Archive Extraction Bug Leads to Full System Compromise

The most severe issue, tracked as CVE-2026-33001, affects Jenkins core versions 2.554 and LTS 2.541.2 and earlier.

The vulnerability stems from improper handling of symbolic links during the extraction of .tar and .tar.gz archives.

By crafting a malicious archive containing symlinks, attackers can bypass intended directory boundaries and write files to arbitrary locations on the Jenkins controller.

The only constraint is the underlying operating system’s file permissions assigned to the Jenkins service account.

In practical attack scenarios, a user with permissions to configure jobs or influence agent behavior can exploit the “Archive the artifacts” post-build action.

This allows malicious files to be written into sensitive directories such as JENKINS_HOME/init.groovy.d/ or JENKINS_HOME/plugins/.

Once placed, these files can trigger execution of attacker-controlled Groovy scripts or load malicious plugins, leading to full remote code execution when Jenkins restarts or processes the injected components.

A second high-severity vulnerability, CVE-2026-33002, affects Jenkins’ WebSocket-based CLI endpoint and involves a DNS rebinding attack that bypasses origin validation protections.

The flaw exists because Jenkins relies on the Host or X-Forwarded-Host HTTP headers for origin verification.

Critical Jenkins Vulnerabilities Enable Remote Code Execution on CI/CD Servers, both of which can be manipulated.

Attackers can exploit this weakness by luring victims to a malicious website that performs DNS rebinding, resolving to the internal IP address of a Jenkins controller.

This technique allows unauthorized WebSocket connections from untrusted origins. In environments where Jenkins is exposed over HTTP and anonymous users retain elevated permissions, attackers can execute administrative CLI commands.

Because Jenkins CLI supports Groovy execution (via groovy and groovysh commands), this access can rapidly escalate into full remote code execution, effectively granting complete control over the server.

The advisory also highlights two medium-severity vulnerabilities in the LoadNinja plugin, tracked as CVE-2026-33003 and CVE-2026-33004.

Versions 2.1 and earlier store API keys in plaintext within job config.xml files on the controller.

Additionally, the plugin fails to mask these credentials within the Jenkins UI, exposing them to users with extended read permissions.

This creates a straightforward path for credential harvesting, which could be leveraged to access external testing platforms or pivot further into enterprise environments.

Jenkins has released fixes addressing all reported issues. Administrators should upgrade immediately to version 2.555 or LTS 2.541.3, which introduces strict validation for archive extraction and enforces proper origin checks based on the configured Jenkins URL.

For environments using LoadNinja, upgrading to plugin version 2.2 ensures API keys are encrypted and masked appropriately.

Where immediate patching is not feasible, organizations should take defensive measures:

• Enforce authentication across all Jenkins instances.
• Remove all permissions assigned to anonymous users.
• Restrict access to HTTPS-only deployments.
• Review user roles and job configuration privileges.

These vulnerabilities highlight how CI/CD infrastructure remains a high-value target, with even minor misconfigurations or validation flaws capable of escalating into full system compromise.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Critical Jenkins Vulnerabilities Enable Remote Code Execution on CI/CD Servers appeared first on Cyber Security News.