CVE-2026-48922
Analyzed Analyzed - Analysis Complete
Remote Code Execution in Jenkins Credentials Binding Plugin

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: Jenkins Project

Description
Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-48922
EUVD
EUVD-2026-32513
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jenkins credentials_binding to 725.ve52b_2328a_fde (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Jenkins Credentials Binding Plugin version 720.v3f6decef43ea_ and earlier. It occurs because the plugin does not properly sanitize file names for file and zip file credentials. This flaw allows attackers who can provide credentials to a Jenkins job to write files to arbitrary locations on the node's filesystem.

If Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node, this vulnerability can be exploited to write files anywhere on the node, potentially leading to remote code execution.

Impact Analysis

This vulnerability can have serious impacts including unauthorized file writes to arbitrary locations on the Jenkins node filesystem.

If exploited, it can lead to remote code execution, allowing an attacker to run malicious code on the Jenkins server with the privileges of the Jenkins process.

This can compromise the integrity and security of the Jenkins environment and potentially the broader network or systems connected to it.

Compliance Impact

The vulnerability in Jenkins Credentials Binding Plugin allows attackers with the ability to provide credentials to a job to write files to arbitrary locations on the node filesystem, potentially leading to remote code execution. This unauthorized access and potential execution of arbitrary code can result in the compromise of sensitive data and system integrity.

Such a security breach can impact compliance with common standards and regulations like GDPR and HIPAA, which require the protection of sensitive data and the implementation of adequate security controls to prevent unauthorized access and data breaches.

Therefore, organizations using affected versions of the plugin may face increased risk of non-compliance due to potential data exposure or system compromise stemming from this vulnerability.

Mitigation Strategies

To mitigate this vulnerability, you should update the Jenkins Credentials Binding Plugin to a version later than 720.v3f6decef43ea_. This update addresses the improper sanitization of file names for file and zip file credentials, preventing attackers from writing files to arbitrary locations on the node filesystem.

Additionally, review and restrict permissions so that low-privileged users cannot configure file or zip file credentials used for jobs running on the built-in node, as this configuration can lead to remote code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48922. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart