Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.
This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 18 Mar 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes. | |
| References |
|
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: jenkins
Published:
Updated: 2026-03-18T15:15:23.950Z
Reserved: 2026-03-17T15:04:07.615Z
Link: CVE-2026-33001
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-03-18T16:16:28.067
Modified: 2026-03-18T16:16:28.067
Link: CVE-2026-33001
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses
No weakness.