CVE-2026-33002

CVSS v2.0

7.6

High

Vector

AV:N/AC:H/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.442 through 2.554 Jenkins LTS versions 2.426.3 through 2.541.2

Description The software does not properly validate the origin of requests made through the CLI WebSocket endpoint. It calculates the expected origin using the Host or X-Forwarded-Host HTTP request headers, which can be exploited through DNS rebinding attacks to bypass origin validation.

Recommendations Update to a newer version than 2.554. Update to a newer LTS version than 2.541.2.

Fix

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-350CWE-346

Related Identifiers

BDU:2026-04249

BIT-JENKINS-2026-33002

CVE-2026-33002

GHSA-PHHV-63FH-RRC8

Affected Products

Jenkins

Red Os

CVE-2026-33002

Weakness Enumeration

Related Identifiers

Affected Products

References · 16