Improper File Name Sanitization in Jenkins Credentials Binding Plugin
CVE-2026-48922

7.5HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Credentials Binding Plugin
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-48922?

The Jenkins Credentials Binding Plugin fails to properly sanitize file names for both file and zip file credentials. This vulnerability allows attackers with job access to write files to arbitrary locations on the node's filesystem. If Jenkins is configured to permit low-privileged users to modify file or zip file credentials for jobs executed on the built-in node, this can facilitate the potential for remote code execution. The risk arises when file credentials are improperly trusted without adequate checks, thus exposing systems to possible malicious activity.

Affected Version(s)

Jenkins Credentials Binding Plugin 0 <= 720.v3f6decef43ea_

References

https://www.jenkins.io/security/advisory/2026-05-27/#SECU...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 26, 2026

CVE-2026-48922 Data

JSON