Description
Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller.
Published: 2026-06-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, it is inferred that the Jenkins OWASP ZAP Plugin versions 1.0.7 and earlier performed build tasks on the Jenkins controller rather than on a dedicated agent. This design flaw permits an attacker who has the Item/Configure privilege to trigger arbitrary code execution on the controller machine. Because the controller often runs with elevated privileges, an exploit yields full compromise of the Jenkins environment, enabling the attacker to tamper with builds, exfiltrate data, or pivot to other systems integrated with Jenkins. This issue effectively escalates a locally authenticated privilege to a remote code execution vector on the control plane.

Affected Systems

The vulnerability affects the Jenkins Project’s OWASP ZAP Plugin, specifically versions 1.0.7 and prior. The affected environment is the Jenkins continuous integration controller that hosts the plugin.

Risk and Exploitability

Based on the description, the CVSS score is 8.8, indicating a high severity vulnerability. The EPSS score is unavailable, so the likelihood of exploitation in the wild cannot be quantified, but due to the critical role of Jenkins in many pipelines and the common delegation of Item/Configure rights, the risk is significant. The CISA KEV catalog does not list this vulnerability, so no public exploits have been reported yet. The probable attack vector requires authenticated access to the Jenkins instance with sufficient configuration rights; hence, organizations that limit those permissions can reduce the exposure. Nonetheless, the capability to run arbitrary commands on the controller provides a powerful attack surface that should be mitigated promptly.

Generated by OpenCVE AI on June 24, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the OWASP ZAP Plugin to a version that addresses this flaw (1.0.8 or later, if available).
  • Restrict the Item/Configure permission to a minimal set of trusted users, avoiding widespread authorization.
  • Remove or disable the OWASP ZAP Plugin if it is not essential for your build processes.
  • Verify that builds are executed on designated agent nodes rather than the controller, ensuring that build artifacts do not run locally.

Generated by OpenCVE AI on June 24, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Owasp Zap Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Owasp Zap Plugin

Wed, 24 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title Arbitrary Code Execution on Jenkins Controller via OWASP ZAP Plugin Build Operations
Weaknesses CWE-284
CWE-78
CWE-94

Wed, 24 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Arbitrary Code Execution on Jenkins Controller via OWASP ZAP Plugin Build Operations
Weaknesses CWE-284
CWE-78
CWE-94

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-610
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller.
References

Subscriptions

Jenkins Project Jenkins Owasp Zap Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T14:34:32.042Z

Reserved: 2026-06-24T08:41:44.359Z

Link: CVE-2026-57301

cve-icon Vulnrichment

Updated: 2026-06-24T14:29:36.614Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:40:56Z

Weaknesses
  • CWE-610

    Externally Controlled Reference to a Resource in Another Sphere