PT-2026-51806 · Jenkins · Jenkins External Workspace Manager Plugin

Published

2026-06-24

Updated

2026-06-24

CVE-2026-57296

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with Item/Configure permission to read arbitrary files on the Jenkins controller file system, which can lead to remote code execution.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2026-57296

Affected Products

Jenkins External Workspace Manager Plugin

PT-2026-51806 · Jenkins · Jenkins External Workspace Manager Plugin

CVE-2026-57296

Weakness Enumeration

Related Identifiers

Affected Products

References · 2