CVE-2026-33001
published 2026-03-18CVE-2026-33001: Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.16%
63.2th percentile
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.
This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | jenkins | < 2.541.3 | 2.541.3 |
| jenkins | jenkins | < 2.555 | 2.555 |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | loadninja_plugin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect crafted .tar or .tar.gz archives containing symbolic links that resolve to paths outside the intended extraction target directory — a hallmark of this zip/tar slip-style attack. ↗
- →Alert on use of the 'Archive the artifacts' post-build action or archiveArtifacts/archive Pipeline steps by users with Item/Configure permission, particularly when the submitted artifact is a .tar or .tar.gz file, as these are the most prominent attack vectors. ↗
- →Flag agent processes that submit archives to the Jenkins controller for extraction, as compromised or attacker-controlled agents can exploit this vulnerability without requiring Item/Configure permission. ↗
- ·The vulnerability is restricted to Jenkins weekly 2.554 and earlier, and LTS 2.541.2 and earlier. Instances already upgraded to Jenkins 2.555 / LTS 2.541.3 are not affected. ↗
- ·Exploitation severity is bounded by the filesystem permissions of the OS user running Jenkins; environments running Jenkins as a least-privilege user reduce the blast radius of arbitrary file writes. ↗
- ·The standard (controller-local) artifact manager must be in use for the most prominent attack paths to apply; custom or remote artifact managers may not invoke the vulnerable extraction code path. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Jenkins
Jenkins Security Advisory 2026-03-18
vendor_jenkins·2026-03-18·CVSS 8.8
CVE-2026-33001 [HIGH] Jenkins Security Advisory 2026-03-18
Title: Jenkins Security Advisory 2026-03-18
Jenkins Security Advisory 2026-03-18
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
LoadNinja
Plugin
Descriptions
Link following vulnerability allows arbitrary file creation
SECURITY-3657
/
CVE-2026-33001
Severity (CVSS):
High
Description:
Jen
Red Hat
jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives
vendor_redhat·2026-03-18·CVSS 8.8
CVE-2026-33001 [HIGH] CWE-22 jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives
jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.
This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
A flaw was found in Jenkins. This vulnerability allows attackers with Item/Configure permission, or those who can control agent processes, to exploit unsafe handling of symbolic links during the extraction of .tar and .tar.gz archives. By cra
OSV
Jenkins has a link following vulnerability allows arbitrary file creation
osv·2026-03-18
CVE-2026-33001 [HIGH] Jenkins has a link following vulnerability allows arbitrary file creation
Jenkins has a link following vulnerability allows arbitrary file creation
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.
This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
GHSA
Jenkins has a link following vulnerability allows arbitrary file creation
ghsa·2026-03-18
CVE-2026-33001 [HIGH] CWE-59 Jenkins has a link following vulnerability allows arbitrary file creation
Jenkins has a link following vulnerability allows arbitrary file creation
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.
This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
blogs_hackernews·2026-03-23
⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
Another week, another reminder that the internet is still a mess. Systems people thought were secure are being broken in simple ways, showing many still ignore basic advisories.
This edition covers a mix of issues: supply chain attacks hitting CI/CD setups, long-abused IoT devices being shut down, and exploits moving quickly from disclosure to real attacks. There are also new malware tricks showing attackers are becoming more patient and creative.
It’s a mix of old problems that never go away and new methods that are harder to detect. Th
Wiz
CVE-2026-33001 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33001 [HIGH] CVE-2026-33001 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33001 :
Java vulnerability analysis and mitigation
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.
This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
Source : NVD
## 8.8
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Java
Jenkins
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.7
Wiz
CVE-2025-22234 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2025-22234 [LOW] CVE-2025-22234 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-22234 :
Jenkins vulnerability analysis and mitigation
The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.
Source : NVD
## 5.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Jenkins
Spring Security
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
org.springframework.security:spring-security-core
jenkins
Sources
NVD
Maven Severity MEDIUM Has Fix Ad
Bugzilla
CVE-2026-33001 jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives
bugzilla·2026-03-18·CVSS 8.8
CVE-2026-33001 [HIGH] CVE-2026-33001 jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives
CVE-2026-33001 jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.
This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657https://access.redhat.com/errata/RHSA-2026:10199https://access.redhat.com/errata/RHSA-2026:10201https://access.redhat.com/errata/RHSA-2026:10204https://access.redhat.com/errata/RHSA-2026:10205https://access.redhat.com/errata/RHSA-2026:10206https://access.redhat.com/errata/RHSA-2026:10209https://access.redhat.com/errata/RHSA-2026:10211https://access.redhat.com/errata/RHSA-2026:10213https://access.redhat.com/errata/RHSA-2026:10214https://access.redhat.com/errata/RHSA-2026:10215https://access.redhat.com/security/cve/CVE-2026-33001https://bugzilla.redhat.com/show_bug.cgi?id=2448645https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33001.json
2026-03-18
Published