CVE-2026-33001

High

Published: 18 March 2026

Published

18 March 2026

Modified

20 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 33.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access…

permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely patching and remediation of known flaws like CVE-2026-33001 in Jenkins archive extraction.

SI-10 Information Input Validation good match

prevent

Requires validation of inputs such as .tar/.tar.gz archives to prevent unsafe symbolic link handling and arbitrary file writes.

AC-6 Least Privilege partial match

prevent

Enforces least privilege for the Jenkins process user, restricting the scope of arbitrary file writes during exploitation.

Security SummaryAI

CVE-2026-33001 is a file symlink vulnerability (CWE-59) in Jenkins versions 2.554 and earlier, including LTS 2.541.2 and earlier. The issue arises from the software's failure to safely handle symbolic links during the extraction of .tar and .tar.gz archives. This allows crafted archives to write files to arbitrary locations on the filesystem, with access restricted only by the permissions of the user running Jenkins. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-18.

Attackers with Item/Configure permission on a Jenkins item, or those able to control agent processes, can exploit this flaw by supplying malicious .tar or .tar.gz archives. Successful exploitation enables deployment of malicious scripts or plugins directly on the Jenkins controller, potentially leading to full compromise depending on the attacker's goals and the system's configuration.

The official Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657 provides guidance on mitigation, including details on affected versions and recommended patches.

Details

CWE(s): CWE-59

Affected Products

jenkins

≤ 2.541.3 · ≤ 2.555

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing Jenkins application (T1190) via symlink in archives for arbitrary file writes, facilitating privilege escalation from Item/Configure permissions to controller compromise (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657
Vendor Advisory · jenkinsci-cert@googlegroups.com