By rssfeeds-admin 
Issued on March 18, 2026, the alert warns that these flaws could allow attackers to execute arbitrary code and fully compromise continuous integration and continuous deployment pipelines.
The most severe flaw, tracked as CVE-2026-33001, stems from how Jenkins handles symbolic links when extracting .tar and .tar.gz archives.
Attackers with item configuration permissions can craft malicious archives to write files to arbitrary locations on the file system.
Because this extraction occurs directly on the controller, threat actors can write malicious scripts to the init. groovy.d/ directory or deploy rogue plugins to the plugins/ folder.
This ultimately grants complete remote code execution capabilities. Features like the “Archive the artifacts” post-build action and specific pipeline steps heavily rely on this vulnerable functionality.
WebSocket Hijacking Vulnerability
A second high-severity vulnerability, identified as CVE-2026-33002, involves a DNS rebinding flaw within the WebSocket command-line interface origin validation.
Jenkins relies on HTTP request headers to compute expected origins. Attackers can bypass this validation by tricking a victim into visiting a malicious website that resolves to the Jenkins controller’s IP address.
This establishes an unauthorized WebSocket connection to the CLI endpoint. If the Jenkins environment allows anonymous user permissions and operates over plain HTTP, attackers can execute CLI commands.
Depending on the anonymous user’s access level, this can result in Groovy scripting execution and subsequent remote code execution.
Plugin Exposes API Keys
In addition to the core vulnerabilities, the advisory highlighted a medium-severity issue within the LoadNinja Plugin.
Tracked under CVE-2026-33003 for insecure storage and CVE-2026-33004 for a lack of masking, the plugin historically stored API keys in an unencrypted format within job configuration files.
Furthermore, the configuration interface failed to mask these credentials, leaving them exposed to any user with extended read permissions or file system access.
According to the Jenkins Project security advisory, admins must upgrade to Jenkins 2.555 (weekly) or 2.541.3 (LTS), and update the LoadNinja plugin to v2.2 if immediate patching isn’t possible.
Organizations can implement temporary workarounds for the DNS rebinding flaw by configuring strict authentication for the controller and entirely removing permissions for the anonymous user.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Jenkins Vulnerabilities Expose CI/CD Servers to RCE Attacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.