CVE-2026-48922
Remote Code Execution in Jenkins Credentials Binding Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkinsci | credentials_binding_plugin | to 720.v3f6decef43ea (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Jenkins Credentials Binding Plugin version 720.v3f6decef43ea_ and earlier. It occurs because the plugin does not properly sanitize file names for file and zip file credentials. This flaw allows attackers who can provide credentials to a Jenkins job to write files to arbitrary locations on the node's filesystem.
If Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node, this vulnerability can be exploited to write files anywhere on the node, potentially leading to remote code execution.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized file writes to arbitrary locations on the Jenkins node filesystem.
If exploited, it can lead to remote code execution, allowing an attacker to run malicious code on the Jenkins server with the privileges of the Jenkins process.
This can compromise the integrity and security of the Jenkins environment and potentially the broader network or systems connected to it.