Description
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins.
This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
Published: 2026-03-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via arbitrary file write
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from Jenkins failing to safely resolve symbolic links when extracting tar and tar.gz archives. A beneficiary attacker can craft an archive that, when uploaded and extracted, overwrites arbitrary files on the controller filesystem. This permits the deployment of malicious scripts or plugins, enabling an attacker to execute code with the privileges of the Jenkins process. The flaw is classified as CWE‑22 and CWE‑59 and poses a significant threat to confidentiality, integrity and availability of the system.

Affected Systems

The affected products are Jenkins instances powered by the Jenkins Project. Versions up to and including Jenkins 2.554 and the Long Term Support release 2.541.2 (and earlier) are vulnerable. Any instance running these releases in a non‑patched state is at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers need the ability to upload or control the extraction of archives, typically requiring Item/Configure permission or the ability to influence agent processes. Once satisfied, the attacker can write files outside the Jenkins home directory, providing a foothold for code execution.

Generated by OpenCVE AI on March 20, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jenkins to a released version newer than 2.554 (or LTS 2.541.2) to eliminate the flaw.
  • Apply any official patches issued by the Jenkins Project following the security advisory.
  • Restrict Item/Configure permissions to trusted administrators only to limit who can submit archives.
  • Disable or monitor the upload of tar and tar.gz files when not required for legitimate builds.
  • Audit the filesystem for unexpected file writes and enforce strict access controls for the Jenkins controller process.

Generated by OpenCVE AI on March 20, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r6qv-frpc-q66c Jenkins has a link following vulnerability allows arbitrary file creation
History

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins jenkins
CPEs cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Vendors & Products Jenkins
Jenkins jenkins

Fri, 20 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Title jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives
Weaknesses CWE-22
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 19 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-59
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins
Vendors & Products Jenkins Project
Jenkins Project jenkins

Wed, 18 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
References

Subscriptions

Jenkins Jenkins
Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-03-19T12:58:23.233Z

Reserved: 2026-03-17T15:04:07.615Z

Link: CVE-2026-33001

cve-icon Vulnrichment

Updated: 2026-03-18T15:50:18.837Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T16:16:28.067

Modified: 2026-03-20T18:08:15.507

Link: CVE-2026-33001

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T15:15:23Z

Links: CVE-2026-33001 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:43Z

Weaknesses