Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-33002PATCHED

jenkins · jenkins

Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected

Description

Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.

Affected Products

Vendor	Product	Versions
jenkins	jenkins	< 2.541.3, < 2.555

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
jenkins	jenkins	cert_advisory	90%
red hat	red hat enterprise linux	cert_advisory	90%

References

https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3674(Vendor Advisory)

Related News (1 articles)

Tier B

BSI Advisories33d ago

[UPDATE] [hoch] Jenkins: Mehrere Schwachstellen

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

2.541.32.555

CWECWE-350

PublishedMar 18, 2026

Last enriched56d ago

Trending Score1

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

Multiple Vulnerabilities in Jenkins Plugins

HIGHCVE-2026-42524EXP

CVE-2026-42524: Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in

CRITICALCVE-2026-42523EXP

CVE-2026-42523: Jenkins GitHub Plugin 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing val

MEDIUMCVE-2026-33003

Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or

HIGHCVE-2026-42520EXP

CVE-2026-42520: Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file cre

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 18, 2026

Patch Available

Mar 21, 2026

Discovered by ZDM

Apr 1, 2026