CVE-2026-33002
Received Received - Intake
DNS Rebinding Vulnerability in Jenkins CLI WebSocket Endpoint

Publication date: 2026-03-18

Last updated on: 2026-03-21

Assigner: Jenkins Project

Description
Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-21
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33002
EUVD
EUVD-2026-12845
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
jenkins jenkins From 2.442 (inc) to 2.555 (exc)
jenkins jenkins From 2.426.3 (inc) to 2.541.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-350 The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33002 is a high-severity vulnerability in Jenkins affecting versions 2.442 through 2.554 and LTS versions 2.426.3 through 2.541.2. It involves the origin validation mechanism of the CLI WebSocket endpoint, which relies on the Host or X-Forwarded-Host HTTP headers to verify request origins.

This approach is vulnerable to DNS rebinding attacks, where an attacker tricks a victim into visiting a malicious website that resolves the domain to the Jenkins controller’s IP address. This allows the attacker to bypass origin validation and establish a WebSocket connection to the CLI endpoint from an untrusted origin.

The vulnerability requires Jenkins to be accessible over plain HTTP and the CLI WebSocket endpoint to be accessible. The impact depends on the permissions granted to the anonymous user.

Impact Analysis

[{'type': 'paragraph', 'content': 'If exploited, this vulnerability can allow attackers to bypass origin validation and connect to the Jenkins CLI WebSocket endpoint from an untrusted origin.'}, {'type': 'list_item', 'content': 'If the anonymous user has broad permissions (such as "Anyone can do anything"), attackers can execute CLI commands including Groovy scripting commands, potentially leading to arbitrary code execution.'}, {'type': 'list_item', 'content': 'If the anonymous user has no permissions, attackers can only execute the who-am-i CLI command, which reveals limited information.'}, {'type': 'paragraph', 'content': 'This can lead to unauthorized control over Jenkins, execution of arbitrary code, and compromise of the system depending on the permissions configured.'}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Jenkins to version 2.555 or later, or LTS 2.541.3 or later, where the origin validation mechanism has been fixed.

If upgrading is not immediately possible, enforce authentication on the Jenkins controller and remove permissions from the anonymous user to reduce risk.

Additionally, ensure that Jenkins is not accessible over plain HTTP, as exploitation requires HTTP access.

Administrators can also revert to the previous behavior by setting the Java system property `hudson.cli.CLIAction.ACCEPT_URL_FROM_REQUEST` to true if needed, but this is not recommended as it re-enables the vulnerable behavior.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33002. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart