Description
Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.
Published: 2026-06-24
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Jenkins Script Security Plugin version 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member. An attacker who can supply a Groovy script on the component’s classpath can execute code outside the intended sandbox, enabling arbitrary code execution within the Jenkins environment. The flaw is associated with CWE-693 and CWE-93.

Affected Systems

The vulnerability affects the Jenkins Project Script Security Plugin at version 1402.v94c9ce464861 and all earlier releases. Systems running Jenkins with this plugin configuration are at risk if they allow untrusted Groovy scripts to be placed on the classpath.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, but the potential for code execution makes it a high‑impact issue. Exploitation requires the attacker to influence the classpath that the plugin uses to load scripts, which is feasible in environments with low control over library directories or with malicious build artifacts. Once the annotation is processed, the attacker can execute outside the sandbox, compromising the entire Jenkins instance or its build nodes.

Generated by OpenCVE AI on June 24, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins Script Security Plugin to a version newer than 1402.v94c9ce464861, which contains a fix that properly rejects annotations with an extensions member.
  • If an immediate upgrade is not possible, configure Jenkins to exclude untrusted directories from the Groovy classpath or remove any custom Groovy scripts that may contain AST transformation annotations.
  • As a temporary measure, disable the script sandbox for trusted users and monitor for any changes to classpath‑loaded scripts, then revert to sandboxed execution once a permanent patch is applied.

Generated by OpenCVE AI on June 24, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title Jenkins Script Security Plugin AST Transformation Annotation Bypass Allows Sandbox Escape

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Groovy AST Transformation Annotation Exploits Sandbox in Jenkins Script Security Plugin

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Groovy AST Transformation Annotation Code Injection in Jenkins Script Security Plugin Groovy AST Transformation Annotation Exploits Sandbox in Jenkins Script Security Plugin
Weaknesses CWE-94

Wed, 24 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Groovy AST Transformation Annotation Code Injection in Jenkins Script Security Plugin
Weaknesses CWE-94

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
CWE-93
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T13:56:59.301Z

Reserved: 2026-06-24T08:41:44.357Z

Link: CVE-2026-57281

cve-icon Vulnrichment

Updated: 2026-06-24T13:56:54.832Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T17:30:16Z

Weaknesses
  • CWE-693

    Protection Mechanism Failure

  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')