CVE-2026-33001
8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Jenkins Project | Jenkins | 2.555 < * | unaffected |
| Jenkins Project | Jenkins | 2.541.3 < 2.541.* | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives
Additional References
- https://access.redhat.com/security/cve/CVE-2026-33001
- https://bugzilla.redhat.com/show_bug.cgi?id=2448645
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33001.json
- https://access.redhat.com/errata/RHSA-2026:10209
- https://access.redhat.com/errata/RHSA-2026:10201
- https://access.redhat.com/errata/RHSA-2026:10211
- https://access.redhat.com/errata/RHSA-2026:10204
- https://access.redhat.com/errata/RHSA-2026:10214
- https://access.redhat.com/errata/RHSA-2026:10213
- https://access.redhat.com/errata/RHSA-2026:10215
- https://access.redhat.com/errata/RHSA-2026:10206
- https://access.redhat.com/errata/RHSA-2026:10199
- https://access.redhat.com/errata/RHSA-2026:10205
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.