CVE-2026-53435
published 2026-06-10CVE-2026-53435: In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or…
PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
14.91%
96.3th percentile
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards.
This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | jenkins | < 2.555.3 | 2.555.3 |
| jenkins | jenkins | < 2.568 | 2.568 |
| jenkins | jenkins | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for attacker-controlled `config.xml` submissions to Jenkins endpoints, which may contain serialized arbitrary types intended for deserialization exploitation. ↗
- →Detect HTTP requests originating from the Jenkins controller that were not initiated by a legitimate user session, which may indicate post-deserialization user impersonation. ↗
- →Alert on any Script Console usage (e.g., POST to /script or /scriptText) following a config.xml submission, as this is the primary path to arbitrary code execution. ↗
- →Monitor for unexpected file read activity on the Jenkins controller filesystem, potentially triggered via deserialized gadget chains after a malicious config.xml upload. ↗
- ·Affected versions are Jenkins 2.567 and earlier (weekly) and LTS 2.555.2 and earlier. Detection and patching efforts should confirm the installed version falls within this range. ↗
- ·The Jenkins package within OpenShift Developer Tools and Services was listed as 'Under investigation' at time of source capture; patch availability for that distribution should be verified separately. ↗
- ·The deserialization sink is specifically triggered via a crafted `config.xml` file submission, meaning the attack surface is limited to endpoints that accept config.xml input (e.g., job/item configuration APIs). ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.x
ghsa_unreviewed·2026-06-10
CVE-2026-53435 [HIGH] CWE-502 In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.x
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards.
This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.
VulDB
Jenkins up to 2.554.x config.xml deserialization
vuldb·2026-06-10·CVSS 8.8
CVE-2026-53435 [HIGH] Jenkins up to 2.554.x config.xml deserialization
A vulnerability was found in Jenkins up to 2.554.x. It has been classified as critical. This issue affects some unknown processing of the file config.xml. This manipulation causes deserialization.
This vulnerability is registered as CVE-2026-53435. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is recommended.
VulnCheck
Jenkins jenkins Deserialization of Untrusted Data
vulncheck·2026·CVSS 8.8
CVE-2026-53435 [HIGH] Jenkins jenkins Deserialization of Untrusted Data
Jenkins jenkins Deserialization of Untrusted Data
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards.
This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.
Affected: Jenkins jenkins
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://x.com/DefusedCyber/status/2066446206285291526
E
Red Hat
jenkins: Jenkins: Arbitrary code execution via deserialization of attacker-controlled configuration
vendor_redhat·2026-06-10·CVSS 8.8
CVE-2026-53435 [HIGH] CWE-502 jenkins: Jenkins: Arbitrary code execution via deserialization of attacker-controlled configuration
jenkins: Jenkins: Arbitrary code execution via deserialization of attacker-controlled configuration
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards.
This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.
A flaw was found in Jenkins. Attackers can exploit a deserialization vulnerability by submitting a specially crafted `config.xml` file. This allows them to deserialize arbitrary types, leading to the ability to impe
Jenkins
Jenkins Security Advisory 2026-06-10
vendor_jenkins·2026-06-10·CVSS 8.8
CVE-2026-53435 [HIGH] Jenkins Security Advisory 2026-06-10
Title: Jenkins Security Advisory 2026-06-10
Jenkins Security Advisory 2026-06-10
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Descriptions
Deserialization vulnerability
SECURITY-3707
/
CVE-2026-53435
Severity (CVSS):
High
Description:
Jenkins uses serialization and deserialization in mul
No detection rules found.
No public exploits indexed.
2026-06-10
Published
Exploited in the wild