

18 Jenkins plugins including Script Security Plugin, Pipeline: Groovy Plugin, External Workspace Manager Plugin, OWASP ZAP Plugin, Git client Plugin, Active Directory Plugin, Assembla Plugin, Bitbucket Push and Pull Request Plugin, Contrast Continuous Application Security Plugin, EC2 Fleet Plugin, FitNesse Plugin, Gitee Plugin, GitHub Branch Source Plugin, Git Parameter Plugin, Job Configuration History Plugin, MCP Server Plugin, Priority Sorter Plugin, and Zowe zDevOps Plugin.
Multiple vulnerabilities have been identified across 18 Jenkins plugins. Successful exploitation could result in arbitrary code execution on the Jenkins controller, unauthorised access, information disclosure, and cross-site request forgery. The most severe issues are two CVSS 8.8 vulnerabilities: a sandbox bypass in Script Security Plugin that allows arbitrary code execution, and a path traversal in External Workspace Manager Plugin that can lead to remote code execution via arbitrary file read. Four plugins have no available fix at time of publication.
Advisory published 24 June 2026. No active exploitation confirmed at time of publication. Fixes available for 14 of 18 affected plugins. Assembla Plugin, FitNesse Plugin, OWASP ZAP Plugin, and Zowe zDevOps Plugin have no fix available.
Jenkins controllers and agents accessible to users with varying permission levels depending on the vulnerability. Several high-severity issues require only Item/Read or Overall/Read permissions. The most critical issues (CVE-2026-57280, CVE-2026-57296, CVE-2026-57301) require Item/Configure permission or the ability to provide sandboxed scripts.
CVE-2026-57280 (CVSS 8.8) - Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type cast in typed for loops during bytecode generation. Attackers with access to sandboxed scripts can invoke constructors of arbitrary types without sandbox checks, enabling arbitrary code execution on the Jenkins controller.
CVE-2026-57281 (CVSS 7.5) - Script Security Plugin does not reject Groovy AST transformation annotations carrying an extensions member, causing Groovy to load and execute classpath scripts at compile time before the sandbox is applied. Can allow code execution outside the sandbox.
CVE-2026-57282 (CVSS 5.0) - Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name in the SSH wrapper script, allowing OS command injection on Unix agents via build parameters that control the workspace directory.
CVE-2026-57283 / CVE-2026-57284 (CVSS 4.3) - Pipeline: Groovy Plugin does not restrict instantiable types via the Pipeline Snippet Generator and allows GET access to the endpoint, enabling CSRF attacks and impersonation of trusted users when social engineering an administrator into approving a malicious script.
CVE-2026-57296 (CVSS 8.8) - External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal segments in custom workspace paths, allowing the workspace to escape the configured disk mount. Attackers with Item/Configure permission can read arbitrary files on the Jenkins controller, which can lead to remote code execution.
CVE-2026-57301 (CVSS 8.8) - OWASP ZAP Plugin 1.0.7 and earlier executes its automated build process on the Jenkins controller rather than the assigned agent. Attackers with Item/Configure permission can configure an attacker-controlled project to execute arbitrary code on the controller. No fix available.
CVE-2026-57303 (CVSS 7.1) - Assembla Plugin 1.4 and earlier does not prevent XXE attacks when parsing Assembla server responses, allowing attackers who control the Assembla server to extract secrets or perform SSRF. No fix available.
CVE-2026-57289 (CVSS 4.8) - Bitbucket Push and Pull Request Plugin unconditionally disables SSL/TLS certificate and hostname validation, allowing network attackers to capture Bearer tokens and impersonate the Jenkins controller to Bitbucket Server.
The CVSS 8.8 sandbox bypass (CVE-2026-57280) and path traversal (CVE-2026-57296) can both lead to arbitrary code execution on the Jenkins controller, which typically holds significant access to source code, build artifacts, deployment credentials, and cloud infrastructure. The information disclosure vulnerabilities expose credentials stored in Jenkins that could be used to pivot into adjacent systems. Four plugins (Assembla, FitNesse, OWASP ZAP, Zowe zDevOps) have no available fix, leaving organisations reliant on compensating controls.
Risk is rated High across all organisation sizes in both government and commercial sectors. Jenkins is a critical component in most software delivery pipelines; compromise of the controller gives attackers access to build secrets, deployment keys, source repositories, and the ability to tamper with software releases. The breadth of the advisory (28 CVEs across 18 plugins) reflects systemic plugin security hygiene issues rather than isolated incidents.
Apply the following fixed versions immediately after appropriate testing:
Script Security Plugin: 1402.1405.vc96e74964250. Pipeline: Groovy Plugin: 4331.4333.v50a_b_076c5199. External Workspace Manager Plugin: 1.4.0. Git client Plugin: 6.6.1. Git Parameter Plugin: 462.463.v496a_59f698e5. Active Directory Plugin: 2.41.2. Bitbucket Push and Pull Request Plugin: 3.3.9. Contrast Continuous Application Security Plugin: 3.12. EC2 Fleet Plugin: 4.2.3.540.va_6eedb_7b_c112. Gitee Plugin: 1292.v2559f2f3f2c0. GitHub Branch Source Plugin: 1967.1970.vd86979736546. Job Configuration History Plugin: 1367.vc8fa_b_15101dc. MCP Server Plugin: 0.178.vffe5a_e770f3b_. Priority Sorter Plugin: 936.937.v5581d0b_2ccb_a_.
For plugins with no fix (Assembla, FitNesse, OWASP ZAP, Zowe zDevOps), disable or remove the plugin if not required. Apply the Principle of Least Privilege to all Jenkins accounts and restrict Item/Configure and Overall/Read permissions to trusted users only. Implement network segmentation to restrict access to the Jenkins controller to authorised systems only.
Conduct automated vulnerability scans of Jenkins instances to identify all affected plugin versions. Establish and maintain a vulnerability management process with monthly patch reviews. Deploy application penetration testing for critical Jenkins deployments. Monitor Jenkins audit logs for unexpected administrative actions, unusual build configurations, or unauthorised access patterns. Enable anti-exploitation features on the Jenkins controller host. Use DNS filtering and network-based URL filtering to restrict Jenkins from connecting to attacker-specified external URLs.
Jenkins Security Advisory 2026-06-24: jenkins.io/security/advisory/2026-06-24/. CVEs: CVE-2026-57280 through CVE-2026-57307 (28 CVEs total).
Trusted by clients worldwide






Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.




