The vulnerability is caused by the Jenkins Credentials Binding Plugin not sanitizing file names supplied in file and zip file credentials. This omission allows an attacker who can provide credentials to a job to write arbitrary files to any location on the node file system. By writing malicious files, the attacker can achieve remote code execution if Jenkins is configured so that a low‑privileged user can set file or zip file credentials for a job running on the built‑in node.

Jenkins Project – Jenkins Credentials Binding Plugin versions 719.v80e905ef14eb_ and earlier are affected. Any installation using the vulnerable plugin on a node where low‑privileged users can configure job credentials is susceptible.

Because the exploit requires the ability to inject credentials into a job, the attack vector is attacker‑authenticated with permissions to create or modify jobs that use file or zip file credentials on the built‑in node. The absence of a sanitization check gives the attacker full write access to the node file system, leading to arbitrary code execution. While there is no EPSS score available and the vulnerability is not listed in the CISA KEV catalogue, the CVSS score of 7.5 indicates high severity, and the potential for remote code execution makes it a risk that should be mitigated promptly.