Description
Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with Item/Configure permission to read arbitrary files on the Jenkins controller file system, which can lead to remote code execution.
Published: 2026-06-24
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Jenkins External Workspace Manager Plugin contains a path traversal flaw in the exwsAllocate Pipeline step. Attackers who possess Item/Configure permissions can supply custom workspace paths that include traversal sequences. The plugin does not reject these sequences, enabling the reading of arbitrary files on the Jenkins controller. In the worst case, this can lead to remote code execution by exposing sensitive configuration or executable binaries.

Affected Systems

All releases of the Jenkins External Workspace Manager Plugin up to and including version 1.3.2 are affected. The vulnerability is present in the plugin and affects pipelines that invoke the exwsAllocate step for users with Item/Configure permissions.

Risk and Exploitability

The flaw allows a local attacker with sufficient permissions to read arbitrary files on the Jenkins controller. The EPSS score is not available, and the vulnerability is not listed in KEV, indicating that widespread exploitation has not yet been observed. Based on the description, it is inferred that the potential for remote code execution, coupled with the plugin's widespread use, suggests a likely high risk. Crafting the malicious workspace path is straightforward, and no additional exploitation conditions are required beyond the listed permission level. Consequently, the vulnerability warrants urgent attention.

Generated by OpenCVE AI on June 24, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins External Workspace Manager Plugin to the latest version provided by the Jenkins Project.
  • Restrict Item/Configure permissions for users running pipelines that use exwsAllocate to only trusted personnel, removing the permission from untrusted users.
  • Audit existing pipelines for custom workspace paths and validate or sanitize any inputs that could be exploited for path traversal.

Generated by OpenCVE AI on June 24, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Path Traversal in Jenkins External Workspace Manager Plugin Exposes Controller Files
Weaknesses CWE-200

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with Item/Configure permission to read arbitrary files on the Jenkins controller file system, which can lead to remote code execution.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T14:37:14.661Z

Reserved: 2026-06-24T08:41:44.358Z

Link: CVE-2026-57296

cve-icon Vulnrichment

Updated: 2026-06-24T14:37:11.677Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:30:17Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')