CVE-2026-57296
published 2026-06-24CVE-2026-57296: Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.60%
44.0th percentile
Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with Item/Configure permission to read arbitrary files on the Jenkins controller file system, which can lead to remote code execution.
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | active_directory | — | — |
| jenkins | active_directory_plugin | — | — |
| jenkins | assembla | — | — |
| jenkins | assembla_plugin | — | — |
| jenkins | bitbucket_push_and_pull_request | — | — |
| jenkins | bitbucket_push_and_pull_request_plugin | — | — |
| jenkins | contrast_continuous_application_security | — | — |
| jenkins | contrast_continuous_application_security_plugin | — | — |
| jenkins | ec2_fleet | — | — |
| jenkins | ec2_fleet_plugin | — | — |
| jenkins | external_workspace_manager | — | — |
| jenkins | external_workspace_manager_plugin | — | — |
| jenkins | fitnesse | — | — |
| jenkins | fitnesse_plugin | — | — |
| jenkins | git_client | — | — |
| jenkins | git_client_plugin | — | — |
| jenkins | git_parameter | — | — |
| jenkins | git_parameter_plugin | — | — |
| jenkins | gitee | — | — |
| jenkins | gitee_plugin | — | — |
| jenkins | github_branch_source | — | — |
| jenkins | github_branch_source_plugin | — | — |
| jenkins | groovy | — | — |
| jenkins | groovy_plugin | — | — |
| jenkins | jenkins_controller_by_owasp_zap | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Jenkins
Jenkins Security Advisory 2026-06-24
vendor_jenkins·2026-06-24
CVE-2026-57280 [HIGH] Jenkins Security Advisory 2026-06-24
Title: Jenkins Security Advisory 2026-06-24
Jenkins Security Advisory 2026-06-24
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Active Directory
Plugin
Assembla
Plugin
Bitbucket Push and Pull Request
Plugin
Contrast Continuous Application Security
Plugin
EC2 Fleet
Plugin
External Workspace Manag
GHSA
Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with It
ghsa_unreviewed·2026-06-24
CVE-2026-57296 [HIGH] CWE-22 Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with It
Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with Item/Configure permission to read arbitrary files on the Jenkins controller file system, which can lead to remote code execution.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-24
Published