Remote Code Execution Vulnerability in Jenkins by CloudBees
CVE-2026-53435
Key Information:
Badges
What is CVE-2026-53435?
CVE-2026-53435 is a remote code execution vulnerability found in Jenkins, an automation server widely used for continuous integration and continuous delivery (CI/CD) in software development. The vulnerability affects Jenkins versions 2.567 and earlier, as well as the Long Term Support (LTS) version 2.555.2 and earlier. It exploits a flaw in the deserialization process of arbitrary types defined in Jenkins core or its plugins, which can be manipulated through an attacker-controlled config.xml submission. This enables attackers to handle HTTP requests and impersonate legitimate users, providing them with the capability to execute arbitrary code via the Script Console or read sensitive files from the Jenkins controller. The potential ramifications of such exploitations are severe, potentially compromising the security and integrity of applications and development pipelines reliant on Jenkins.
Potential impact of CVE-2026-53435
-
Unauthorized Access and Code Execution: The ability for attackers to impersonate any user and execute arbitrary code through the Script Console poses a direct threat to the security of the Jenkins environment, allowing for unauthorized access to sensitive data and systems.
-
Data Breaches and Information Theft: By exploiting this vulnerability, attackers can read arbitrary files from the Jenkins controller, leading to the potential exposure of sensitive configuration files, user credentials, and other critical information.
-
Compromise of CI/CD Pipelines: Given Jenkins' pivotal role in automating deployment and integration, successful exploitation of this vulnerability could disrupt development workflows, leading to prolonged downtimes or the introduction of malicious code into production systems, posing a significant risk to business operations.
Affected Version(s)
Jenkins 2.568
Jenkins 2.568
Jenkins 2.555.3 < 2.555.*
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Jenkins RCE Flaw Exploited by Attackers in the Wild - IT Security News
A remote code execution (RCE) vulnerability in Jenkins, tracked as CVE-2026-53435, is now actively exploited in the wild. The flaw, stemming from insecure deserialization during Jenkins’ config.xml processing, allows unauthenticated or low-privileged attackers to execute arbitrary code on vulnerable...
References
EPSS Score
14% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 📈
Vulnerability started trending
- 📰
First article discovered by It Security News
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved