CVE-2026-53435
Received Received - Intake
Jenkins Core Deserialization Vulnerability Allows Code Execution

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: Jenkins Project

Description
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-53435
EUVD
EUVD-2026-36019
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
jenkins jenkins to 2.568 (exc)
jenkins jenkins_lts to 2.556 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Jenkins versions 2.567 and earlier, including LTS 2.555.2 and earlier. It allows attackers to submit a specially crafted config.xml file that causes Jenkins to deserialize arbitrary types defined in Jenkins core or plugins. This deserialization enables the attacker to handle HTTP requests afterward.

Essentially, the attacker can impersonate any user and send HTTP requests on their behalf, potentially using the Script Console to execute arbitrary code or read arbitrary files from the Jenkins controller.

Impact Analysis

The impact of this vulnerability is severe. An attacker exploiting it can impersonate any user within Jenkins, which may lead to unauthorized actions being performed.

  • Execution of arbitrary code on the Jenkins controller via the Script Console.
  • Reading arbitrary files from the Jenkins controller, potentially exposing sensitive information.
  • Sending HTTP requests on behalf of legitimate users, which could lead to further attacks or unauthorized operations.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53435. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart