CVE-2026-33001

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.554 and earlier Jenkins LTS versions 2.541.2 and earlier

Description The software does not safely handle symbolic links when extracting .tar and .tar.gz archives. This allows crafted archives to write files to arbitrary locations on the filesystem, limited by the file system access permissions of the user running Jenkins. An attacker with Item/Configure permission, or control over agent processes, can exploit this to deploy malicious scripts or plugins on the controller.

Recommendations Update Jenkins to a version later than 2.554. Update Jenkins LTS to a version later than 2.541.2.

Fix

RCE

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-61CWE-59

Related Identifiers

BDU:2026-04250

BIT-JENKINS-2026-33001

CVE-2026-33001

GHSA-R6QV-FRPC-Q66C

Affected Products

Jenkins

Red Os

CVE-2026-33001

Weakness Enumeration

Related Identifiers

Affected Products

References · 18