CVE-2026-33002
DNS Rebinding Vulnerability in Jenkins CLI WebSocket Endpoint
Publication date: 2026-03-18
Last updated on: 2026-03-21
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | jenkins | From 2.442 (inc) to 2.555 (exc) |
| jenkins | jenkins | From 2.426.3 (inc) to 2.541.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-350 | The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33002 is a high-severity vulnerability in Jenkins affecting versions 2.442 through 2.554 and LTS versions 2.426.3 through 2.541.2. It involves the origin validation mechanism of the CLI WebSocket endpoint, which relies on the Host or X-Forwarded-Host HTTP headers to verify request origins.
This approach is vulnerable to DNS rebinding attacks, where an attacker tricks a victim into visiting a malicious website that resolves the domain to the Jenkins controllerβs IP address. This allows the attacker to bypass origin validation and establish a WebSocket connection to the CLI endpoint from an untrusted origin.
The vulnerability requires Jenkins to be accessible over plain HTTP and the CLI WebSocket endpoint to be accessible. The impact depends on the permissions granted to the anonymous user.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'If exploited, this vulnerability can allow attackers to bypass origin validation and connect to the Jenkins CLI WebSocket endpoint from an untrusted origin.'}, {'type': 'list_item', 'content': 'If the anonymous user has broad permissions (such as "Anyone can do anything"), attackers can execute CLI commands including Groovy scripting commands, potentially leading to arbitrary code execution.'}, {'type': 'list_item', 'content': 'If the anonymous user has no permissions, attackers can only execute the who-am-i CLI command, which reveals limited information.'}, {'type': 'paragraph', 'content': 'This can lead to unauthorized control over Jenkins, execution of arbitrary code, and compromise of the system depending on the permissions configured.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Jenkins to version 2.555 or later, or LTS 2.541.3 or later, where the origin validation mechanism has been fixed.
If upgrading is not immediately possible, enforce authentication on the Jenkins controller and remove permissions from the anonymous user to reduce risk.
Additionally, ensure that Jenkins is not accessible over plain HTTP, as exploitation requires HTTP access.
Administrators can also revert to the previous behavior by setting the Java system property `hudson.cli.CLIAction.ACCEPT_URL_FROM_REQUEST` to true if needed, but this is not recommended as it re-enables the vulnerable behavior.