HIGH 8.8

CVE-2026-53435: Critical Java Deserialization Vulnerability in Jenkins – CVSS 8.8

Jenkins versions 2.567 and earlier (LTS 2.555.2 and earlier) contain a critical flaw in how they process configuration files. An authenticated attacker can craft a malicious `config.xml` file that causes Jenkins to deserialize and instantiate arbitrary Java objects from Jenkins core or installed plugins. Once deserialized, these objects can intercept and handle HTTP requests, enabling the attacker to impersonate any Jenkins user—including administrators—and perform actions such as accessing the Script Console to execute arbitrary code or reading sensitive files from the Jenkins controller.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-502
Affected products
2 configuration(s)
Published / Modified
2026-06-10 / 2026-07-15

NVD description (verbatim)

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from unsafe Java deserialization of untrusted data during `config.xml` processing. Jenkins fails to restrict deserialization to a safe allowlist of types, permitting attackers to instantiate arbitrary classes available in the classpath. By submitting a specially crafted configuration object that implements HTTP request handling (gadget chains), an attacker with authenticated access can intercept subsequent HTTP requests and execute them in the context of any user, including the Jenkins administrator. This abuse of the deserialization mechanism circumvents normal access controls and enables lateral privilege escalation and code execution.

Business impact

This vulnerability poses a severe risk to organizations relying on Jenkins for CI/CD automation. A compromised Jenkins instance can become a pivot point for attackers to deploy malware, exfiltrate source code and build artifacts, modify deployments, or use the controller to attack downstream systems. Given that Jenkins often runs with elevated privileges in enterprise environments and holds credentials for production systems, exploitation could result in full infrastructure compromise, data loss, and supply chain contamination.

Affected systems

Jenkins versions 2.567 and all earlier releases are affected, as well as Jenkins LTS releases through version 2.555.2. Any organization running these versions with users who have permissions to submit configuration files is at risk. The vulnerability requires authenticated access, so the threat is primarily from malicious insiders, compromised user accounts, or attackers who have already gained initial access to a Jenkins user account.

Exploitability

Exploitation requires valid Jenkins user credentials and the ability to submit or modify a `config.xml` configuration file—typically available to users with 'Configure' permissions on jobs or global settings. While this is not a zero-click vulnerability, the low complexity and direct path to code execution make it attractive once authentication is obtained. No CVSS v3.1 vector indicates the need for user interaction, and the network-accessible nature of Jenkins web interfaces means remote exploitation is possible for internet-facing instances.

Remediation

Organizations must immediately upgrade to patched versions once released by the Jenkins project. Verify the specific patch versions against the official Jenkins security advisory. In the interim, restrict Jenkins user base to trusted personnel only, implement strict network access controls limiting Jenkins web access to internal networks, enforce multi-factor authentication on Jenkins accounts, and monitor configuration file submissions for suspicious deserialization payloads. Review audit logs for unauthorized configuration changes.

Patch guidance

Contact the Jenkins project security advisories or visit jenkins.io/security for the fixed versions addressing CVE-2026-53435. Patch versions are vendor-specific; verify against the official advisory before deploying. Test patches in a non-production environment first, as Jenkins configuration changes may affect build pipelines. Coordinate patching with CI/CD schedules to minimize disruption.

Detection guidance

Monitor Jenkins audit logs for configuration file modifications, particularly `config.xml` changes submitted by non-administrative users. Look for serialized Java objects in configuration submissions that reference unexpected classes or gadget chain libraries. Implement file integrity monitoring on Jenkins controller configuration directories. Network-based detection is challenging due to encryption, but monitoring for unusual outbound HTTP requests from the Jenkins controller process may indicate exploitation. Review Jenkins plugin audit trails for instantiation of suspicious classes during configuration deserialization.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH severity rating (CVSS 8.8), direct path to arbitrary code execution, and potential for complete Jenkins infrastructure compromise. The ability to impersonate any user and execute arbitrary commands makes this a critical control-plane attack. Organizations should treat patching as urgent, especially for internet-facing or multi-tenant Jenkins instances.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects high impact across confidentiality, integrity, and availability. While authentication is required (PR:L), the attack complexity is low (AC:L) and no user interaction is needed (UI:N). The scope is unchanged, but the consequences are severe: attackers gain the ability to run code as any user, read sensitive data, and modify system state. This score appropriately captures the severity of Java deserialization vulnerabilities in privileged services.

Frequently asked questions

Can this vulnerability be exploited without a valid Jenkins user account?

No. The vulnerability requires authenticated access to Jenkins and sufficient permissions to submit or modify configuration files. However, compromised credentials, insider threats, or prior initial access can enable exploitation. Protect Jenkins account credentials as rigorously as you protect production systems.

Does this affect Jenkins instances behind firewalls or in restricted networks?

Yes. Any Jenkins instance accessible to a user with configuration privileges is at risk, regardless of network position. Internal networks remain targets for insider threats and lateral movement attacks following a data breach.

What is the difference between Jenkins standard release and LTS?

Jenkins offers two release channels: the standard release with the latest features (affected through version 2.567) and LTS (Long-Term Support) releases that receive security updates longer (affected through LTS 2.555.2). Organizations typically run LTS for stability, but both require patching.

Could an attacker use this to steal my Jenkins credentials or API tokens?

Yes. By impersonating a user and accessing the Script Console or reading configuration files, an attacker can extract API tokens, SSH keys, and credentials stored in Jenkins that are used to authenticate to other systems, potentially compromising your entire infrastructure.

This analysis is based on vendor-supplied vulnerability data and public disclosures as of the date of publication. Specific patch version numbers and availability dates must be verified against official Jenkins security advisories at jenkins.io/security. SEC.co makes no warranty regarding the accuracy of patching guidance or applicability to specific deployments. Organizations should conduct thorough testing in non-production environments before applying patches. This summary does not constitute legal or compliance advice; consult your security team and compliance officer regarding incident response and disclosure obligations. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).