CVE-2026-33001 — Link Following in Jenkins

CWE-59 — Link Following CWE-22 — Path Traversal CWE-61 — UNIX Symbolic Link (Symlink) Following8 documents7 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 65.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Jenkins Core Jenkins LTS +2 more

Timeline

PublishedMar 18

Latest updateMar 23

Description

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶NVDjenkins/jenkins< 2.541.3+1

▶jenkinsjenkins/jenkins_lts

▶jenkinsjenkins/jenkins_core

▶jenkinsjenkins/jenkins_weekly

▶jenkinsjenkins/loadninja_plugin

🔴Vulnerability Details

OSV

Jenkins has a link following vulnerability allows arbitrary file creation↗2026-03-18

▶

GHSA

Jenkins has a link following vulnerability allows arbitrary file creation↗2026-03-18

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2026-03-18↗2026-03-18

▶

Red Hat

jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives↗2026-03-18

▶

🕵️Threat Intelligence

Hackernews

⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More↗2026-03-23

▶

Wiz

CVE-2026-33001 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2025-22234 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶