Description
Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection.
Published: 2026-06-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Jenkins Script Security Plugin fails to intercept implicit type casts applied to elements of typed for‑each loops in sandboxed Groovy scripts. An attacker who can supply such scripts is able to invoke arbitrary constructors, effectively bypassing the sandbox and executing unrestricted code inside the Jenkins environment, thereby compromising confidentiality, integrity and availability. The weakness corresponds to CWE‑1287.

Affected Systems

Vulnerable installations are those running Jenkins Script Security Plugin version 1402.v94c9ce464861 or earlier. All sites that have not upgraded this plugin are potentially exposed.

Risk and Exploitability

An attacker who can deliver Groovy scripts to the Jenkins server can exercise this flaw to achieve arbitrary code execution. The CVSS score of 8.8 indicates high severity, but the EPSS score of < 1% shows a low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attack feasibility requires only the ability to submit scripts, which many Jenkins configurations allow to authorized users, making the risk significant for environments with open script execution rights.

Generated by OpenCVE AI on July 14, 2026 at 12:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jenkins Script Security Plugin to 1403 or later.
  • If upgrade is not immediately possible, disable Groovy script execution or restrict script submission to trusted users only.
  • Apply general Jenkins hardening practices, limiting script permissions and enforcing strict sandbox policies.

Generated by OpenCVE AI on July 14, 2026 at 12:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Jul 2026 06:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-264
CWE-730

Sat, 11 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Title Jenkins Script Security Plugin Sandbox Bypass via Implicit Type Cast in Groovy Loops jenkins-script-security-plugin: Jenkins Script Security Plugin: Sandbox bypass leading to arbitrary code execution
Weaknesses CWE-1287
References
Metrics threat_severity

None

threat_severity

Important


Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Script Security Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Script Security Plugin

Wed, 24 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Jenkins Script Security Plugin Sandbox Bypass via Implicit Type Cast in Groovy Loops
Weaknesses CWE-264
CWE-730

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection.
References

Subscriptions

Jenkins Project Jenkins Script Security Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T13:58:16.696Z

Reserved: 2026-06-24T08:41:44.357Z

Link: CVE-2026-57280

cve-icon Vulnrichment

Updated: 2026-06-24T13:51:35.385Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T13:20:04Z

Links: CVE-2026-57280 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T12:15:10Z

Weaknesses
  • CWE-1287

    Improper Validation of Specified Type of Input

  • CWE-693

    Protection Mechanism Failure