Groovy AST Transformation Vulnerability in Jenkins Script Security Plugin
CVE-2026-57281

7.5HIGH

Key Information:

Vendor

Jenkins

Vendor
CVE Published:
24 June 2026

What is CVE-2026-57281?

The Jenkins Script Security Plugin, specifically versions 1402.v94c9ce464861 and earlier, is susceptible to a vulnerability that allows attackers to execute code outside of the intended sandbox environment. This occurs when Groovy scripts capable of using AST transformation annotations with an extensions member are evaluated. If such a script is present within the classpath, malicious users can exploit this flaw to execute unauthorized commands, thereby compromising the integrity of the Jenkins application.

Affected Version(s)

Jenkins Script Security Plugin 0 <= 1402.v94c9ce464861

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.