Description
Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.
Published: 2026-03-18
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via CLI
Action: Apply Patch
AI Analysis

Impact

A flaw in Jenkins’ CLI WebSocket endpoint allows an attacker to bypass origin validation using DNS rebinding. The server trusts the Host or X‑Forwarded‑Host headers to compute an expected origin, but the calculation can be subverted by an attacker who controls the domain name used in the WebSocket request. Successful exploitation permits an attacker to run arbitrary commands on the Jenkins controller, exposing the system to complete takeover.

Affected Systems

Jenkins Project releases from 2.442 through 2.554 and LTS releases from 2.426.3 through 2.541.2 are vulnerable. All installers and Docker images built from these version ranges are affected. The vulnerability does not impact earlier or newer releases outside these ranges.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while an EPSS score of less than 1% suggests that widespread exploitation is currently uncommon. As the flaw relies on a standard DNS rebinding technique, an attacker only needs control of a domain to target a Jenkins instance that accepts CLI WebSocket requests. The vulnerability remains unlisted in the CISA KEV catalog, but the potential for remote code execution warrants immediate attention.

Generated by OpenCVE AI on March 21, 2026 at 07:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Jenkins 2.555 or LTS 2.542 or newer, which contain the upstream fix for the origin validation bypass.
  • Verify that the Jenkins instance restarts without configuration errors after the upgrade.
  • If the CLI WebSocket endpoint is unused, consider disabling it entirely for added defense in depth.
  • If a reverse proxy is employed, ensure that only trusted origins are allowed and that X‑Forwarded‑Host headers cannot be forged.

Generated by OpenCVE AI on March 21, 2026 at 07:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-phhv-63fh-rrc8 Jenkins has a DNS rebinding vulnerability in WebSocket CLI origin validation
History

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins jenkins
CPEs cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Vendors & Products Jenkins
Jenkins jenkins

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-350
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 19 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title jenkins: Jenkins: Origin validation bypass via DNS rebinding in CLI WebSocket endpoint
Weaknesses CWE-346
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N'}

threat_severity

Moderate

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins
Vendors & Products Jenkins Project
Jenkins Project jenkins

Wed, 18 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.
References

Subscriptions

Jenkins Jenkins
Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-03-19T14:45:46.878Z

Reserved: 2026-03-17T15:04:07.616Z

Link: CVE-2026-33002

cve-icon Vulnrichment

Updated: 2026-03-19T14:45:24.513Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T16:16:28.187

Modified: 2026-03-21T00:18:44.090

Link: CVE-2026-33002

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T15:15:25Z

Links: CVE-2026-33002 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:42Z

Weaknesses