cbcvebase.
CVE-2026-53435
published 2026-06-10

CVE-2026-53435: In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or…

PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
14.91%
96.3th percentile
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.

Affected

6 ranges
VendorProductVersion rangeFixed in
jenkinsjenkins< 2.555.32.555.3
jenkinsjenkins< 2.5682.568
jenkinsjenkins
jenkinsjenkins_core
jenkinsjenkins_lts
jenkinsjenkins_weekly

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for attacker-controlled `config.xml` submissions to Jenkins endpoints, which may contain serialized arbitrary types intended for deserialization exploitation.
  • Detect HTTP requests originating from the Jenkins controller that were not initiated by a legitimate user session, which may indicate post-deserialization user impersonation.
  • Alert on any Script Console usage (e.g., POST to /script or /scriptText) following a config.xml submission, as this is the primary path to arbitrary code execution.
  • Monitor for unexpected file read activity on the Jenkins controller filesystem, potentially triggered via deserialized gadget chains after a malicious config.xml upload.
  • ·Affected versions are Jenkins 2.567 and earlier (weekly) and LTS 2.555.2 and earlier. Detection and patching efforts should confirm the installed version falls within this range.
  • ·The Jenkins package within OpenShift Developer Tools and Services was listed as 'Under investigation' at time of source capture; patch availability for that distribution should be verified separately.
  • ·The deserialization sink is specifically triggered via a crafted `config.xml` file submission, meaning the attack surface is limited to endpoints that accept config.xml input (e.g., job/item configuration APIs).

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.