CVE-2026-53435
Modified Modified - Updated After Analysis

Jenkins Core Deserialization Vulnerability Allows Code Execution

Publication date: 2026-06-10

Last updated on: 2026-06-30

Assigner: Jenkins Project

Description
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-29
NVD
CVE-2026-53435
EUVD
EUVD-2026-36019

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
jenkins jenkins to 2.568 (exc)
jenkins jenkins to 2.555.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade Jenkins to version 2.568 or later, or LTS 2.555.3 or later, where the issue has been fixed.

The fix involves rejecting maliciously crafted config.xml submissions that allow deserialization of arbitrary types and prevent attackers from impersonating users or executing arbitrary code.

Executive Summary

This vulnerability exists in Jenkins versions 2.567 and earlier, including LTS 2.555.2 and earlier. It allows attackers to submit a specially crafted config.xml file that causes Jenkins to deserialize arbitrary types defined in Jenkins core or plugins. This deserialization enables the attacker to handle HTTP requests afterward.

Essentially, the attacker can impersonate any user and send HTTP requests on their behalf, potentially using the Script Console to execute arbitrary code or read arbitrary files from the Jenkins controller.

Impact Analysis

The impact of this vulnerability is severe. An attacker exploiting it can impersonate any user within Jenkins, which may lead to unauthorized actions being performed.

  • Execution of arbitrary code on the Jenkins controller via the Script Console.
  • Reading arbitrary files from the Jenkins controller, potentially exposing sensitive information.
  • Sending HTTP requests on behalf of legitimate users, which could lead to further attacks or unauthorized operations.
Compliance Impact

This vulnerability allows attackers to impersonate any user and execute arbitrary code or read arbitrary files on the Jenkins controller. Such unauthorized access and control can lead to exposure or manipulation of sensitive data.

Consequently, this can impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls to prevent unauthorized access to personal or protected health information.

Organizations using affected Jenkins versions may face increased risk of data breaches, potentially resulting in non-compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53435. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart