Description
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards.
This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.
Published: 2026-06-10
Score: 8.8 High
EPSS: 14.9% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Jenkins releases 2.567 and earlier, and the LTS release 2.555.2 and earlier versions allow an attacker to submit a crafted config.xml that is deserialized into arbitrary core or plugin types. This flaw, identified as a deserialization vulnerability (CWE‑502), enables the attacker to impersonate any Jenkins user, send HTTP requests on the user’s behalf, exploit the Script Console to run the controller, thereby compromising confidentiality, integrity, and availability of the Jenkins instance.

Affected Systems

The vulnerability affects Jenkins Project’s Jenkins software, specifically version 2.567 and all earlier 2.x releases, as well as the LTS release 2.555.2 and all preceding LTS versions.

Risk and Exploitability

The flaw can be triggered by providing a config.xml file, which means that an attacker who can reach the Jenkins UI or API can exploit it remotely without any additional credentials. The likely attack vector is thus the submission of an attacker‑controlled configuration file. Based on the description, it is inferred that the vulnerability can be leveraged to execute arbitrary code through the Script Console or to read sensitive files. The CVSS score of 8.8 indicates high severity. EPSS score of 14% indicates a moderate exploitation probability, and the issue is not listed in CISA KEV, but the combination of remote activation and the potential for full code execution keeps the risk high, especially against installations that have not applied the available fix.

Generated by OpenCVE AI on June 24, 2026 at 12:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Jenkins 2.568 or newer, or the next LTS release after 2.555.2.
  • Limit the ability to upload or modify config.xml files so that only trusted administrators can submit them.
  • If the Script Console is not required, disable it or restrict access to a narrow set of privileged users.

Generated by OpenCVE AI on June 24, 2026 at 12:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title jenkins: Jenkins: Arbitrary code execution via deserialization of attacker-controlled configuration
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 12 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Title Jenkins config.xml Deserialization Enables Remote Code Execution

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins jenkins
CPEs cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Vendors & Products Jenkins
Jenkins jenkins

Wed, 10 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Title Jenkins config.xml Deserialization Enables Remote Code Execution

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Jenkins Arbitrary Deserialization via Custom config.xml Enables Remote Code Execution
Weaknesses CWE-284

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Jenkins Arbitrary Deserialization via Custom config.xml Enables Remote Code Execution
First Time appeared Jenkins Project
Jenkins Project jenkins
Weaknesses CWE-284
CWE-502
Vendors & Products Jenkins Project
Jenkins Project jenkins

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.
References

Subscriptions

Jenkins Jenkins
Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-30T03:18:04.280Z

Reserved: 2026-06-09T14:26:44.788Z

Link: CVE-2026-53435

cve-icon Vulnrichment

Updated: 2026-06-30T03:18:04.280Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T14:16:36.440

Modified: 2026-06-11T13:26:14.093

Link: CVE-2026-53435

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-10T13:05:57Z

Links: CVE-2026-53435 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:15:05Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data