Remote Code Execution Vulnerability in Jenkins by CloudBees
CVE-2026-53435

8.8HIGH

Key Information:

Vendor

Jenkins

Status
Vendor
CVE Published:
10 June 2026

Badges

📈 Trended📈 Score: 1,670👾 Exploit Exists🟡 Public PoC🟣 EPSS 14%📰 News Worthy

What is CVE-2026-53435?

CVE-2026-53435 is a remote code execution vulnerability found in Jenkins, an automation server widely used for continuous integration and continuous delivery (CI/CD) in software development. The vulnerability affects Jenkins versions 2.567 and earlier, as well as the Long Term Support (LTS) version 2.555.2 and earlier. It exploits a flaw in the deserialization process of arbitrary types defined in Jenkins core or its plugins, which can be manipulated through an attacker-controlled config.xml submission. This enables attackers to handle HTTP requests and impersonate legitimate users, providing them with the capability to execute arbitrary code via the Script Console or read sensitive files from the Jenkins controller. The potential ramifications of such exploitations are severe, potentially compromising the security and integrity of applications and development pipelines reliant on Jenkins.

Potential impact of CVE-2026-53435

  1. Unauthorized Access and Code Execution: The ability for attackers to impersonate any user and execute arbitrary code through the Script Console poses a direct threat to the security of the Jenkins environment, allowing for unauthorized access to sensitive data and systems.

  2. Data Breaches and Information Theft: By exploiting this vulnerability, attackers can read arbitrary files from the Jenkins controller, leading to the potential exposure of sensitive configuration files, user credentials, and other critical information.

  3. Compromise of CI/CD Pipelines: Given Jenkins' pivotal role in automating deployment and integration, successful exploitation of this vulnerability could disrupt development workflows, leading to prolonged downtimes or the introduction of malicious code into production systems, posing a significant risk to business operations.

Affected Version(s)

Jenkins 2.568

Jenkins 2.568

Jenkins 2.555.3 < 2.555.*

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

Jenkins RCE Flaw Exploited by Attackers in the Wild - IT Security News

A remote code execution (RCE) vulnerability in Jenkins, tracked as CVE-2026-53435, is now actively exploited in the wild. The flaw, stemming from insecure deserialization during Jenkins’ config.xml processing, allows unauthenticated or low-privileged attackers to execute arbitrary code on vulnerable...

References

EPSS Score

14% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📈

    Vulnerability started trending

  • 📰

    First article discovered by It Security News

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.