← Back

CVE-2026-53435

nvd nist
Published: Jun 10, 2026Modified: Jun 11, 2026

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.

Affected (2)

Products: Jenkins: Jenkins
Jenkins
1 product
Jenkins
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Jenkins
Jenkins
Before 2.568
Jenkins
Before 2.555.3

Related CWEs

CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (1)

Source: jenkinsci-cert@googlegroups.com
Vendor Advisory

Timeline

No history available yet.