Description
Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection.
Published: 2026-06-24
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Jenkins Script Security Plugin does not intercept implicit type casts applied to elements of typed for‑each loops in sandboxed Groovy scripts, allowing an attacker who can supply such scripts to invoke arbitrary constructors and bypass sandbox protection. This flaw permits execution of arbitrary code within the Jenkins environment, compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

Jenkins Project Jenkins Script Security Plugin versions 1402.v94c9ce464861 and earlier are vulnerable. All installations using these or earlier versions of the plugin are impacted.

Risk and Exploitability

An attacker who can provide Groovy scripts to the affected system can exploit this weakness to execute arbitrary constructors, effectively breaking the intended sandbox controls. The CVSS score is not disclosed; EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits yet. However, the ability to bypass the sandbox indicates a high potential for exploitation on systems where Groovy scripting is enabled.

Generated by OpenCVE AI on June 24, 2026 at 15:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jenkins Script Security Plugin to version 1403 or later.
  • If possible, disable Groovy script execution or remove untrusted sources of scripts.
  • Apply general Jenkins hardening practices, ensuring only trusted users can submit scripts and enforcing strict sandbox policies.

Generated by OpenCVE AI on June 24, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Script Security Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Script Security Plugin

Wed, 24 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Jenkins Script Security Plugin Sandbox Bypass via Implicit Type Cast in Groovy Loops
Weaknesses CWE-264
CWE-730

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection.
References

Subscriptions

Jenkins Project Jenkins Script Security Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T13:58:16.696Z

Reserved: 2026-06-24T08:41:44.357Z

Link: CVE-2026-57280

cve-icon Vulnrichment

Updated: 2026-06-24T13:51:35.385Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T17:00:13Z

Weaknesses