Description
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards.
This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.
Published: 2026-06-10
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, allow an attacker to submit a crafted config.xml that is deserialized into arbitrary core or plugin types. This flaw can be used to impersonate any Jenkins user, send HTTP requests on their behalf, exploit the Script Console to run arbitrary code, or read arbitrary files from the controller. The vulnerability therefore enables complete compromise of confidentiality, integrity, and availability of the Jenkins instance.

Affected Systems

Product: Jenkins. Vendor: Jenkins Project. Affected releases are Jenkins 2.567 and all earlier 2.x releases, as well as the 2.555.2 LTS release and all earlier LTS versions.

Risk and Exploitability

Because the flaw can be triggered by supplying a config.xml file, an attacker with network access to the Jenkins UI or API can exploit it remotely without additional credentials. The vulnerability can lead to full remote code execution. EPSS is not available and the flaw is not listed in the CISA KEV catalog, but the potential impact and the absence of a mitigation requirement for the user operator mean the risk remains high. The flaw is most likely to be exploited by attackers with moderate skill who target Jenkins installations that have not been patched or hardened against unauthorized configuration uploads.

Generated by OpenCVE AI on June 10, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Jenkins 2.568 or newer, or the next LTS version after 2.555.2.
  • Restrict access to the configuration upload functionality so that only trusted administrators can submit config.xml files.
  • Disable the Script Console if it is not required for operation, or limit its use to a narrow set of privileged users.

Generated by OpenCVE AI on June 10, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Jenkins Arbitrary Deserialization via Custom config.xml Enables Remote Code Execution
First Time appeared Jenkins Project
Jenkins Project jenkins
Weaknesses CWE-284
CWE-502
Vendors & Products Jenkins Project
Jenkins Project jenkins

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.
References

Subscriptions

Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-10T15:35:44.158Z

Reserved: 2026-06-09T14:26:44.788Z

Link: CVE-2026-53435

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:36.440

Modified: 2026-06-10T14:16:36.440

Link: CVE-2026-53435

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses