CVE-2026-57281
Received Received - Intake
Jenkins Script Security Plugin Groovy AST Code Execution

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Jenkins Project

Description
Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-57281
EUVD
EUVD-2026-38761
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
jenkinsci script_security_plugin to 1402.v94c9ce464861 (exc)
jenkinsci script_security_plugin to 1402.1405.vc96e74964250 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-57281 is a security vulnerability in the Jenkins Script Security Plugin that allows attackers to bypass the sandbox restrictions for Groovy scripts.

The plugin fails to reject Groovy AST transformation annotations that carry an extensions member, such as @CompileStatic and @TypeChecked. This flaw allows Groovy to load and execute a script from the classpath at compile time before the sandbox is applied.

As a result, attackers who can run sandboxed Groovy scripts may be able to execute code outside the sandbox if a suitable script is present on the classpath of the component evaluating the script.

Impact Analysis

This vulnerability can allow an attacker with the ability to run sandboxed Groovy scripts to execute arbitrary code outside the sandbox environment.

Such code execution outside the sandbox can lead to unauthorized actions on the Jenkins server, potentially compromising the system's security and integrity.

However, successful exploitation is considered very unlikely because no dangerous Groovy scripts were found in Jenkins core or plugins.

Detection Guidance

This vulnerability affects Jenkins Script Security Plugin versions 1402.v94c9ce464861 and earlier. Detection involves verifying the installed version of the Script Security Plugin to determine if it is vulnerable.

You can check the installed plugin version within Jenkins by navigating to the Plugin Manager or by using Jenkins CLI or REST API commands.

  • Using Jenkins Script Console or CLI, run a command to list installed plugins and their versions, for example:
  • jenkins-cli.jar -s http://your-jenkins-url/ list-plugins | grep script-security
  • Alternatively, use the Jenkins REST API to query plugin information:
  • curl -s http://your-jenkins-url/pluginManager/api/json?depth=1 | jq '.plugins[] | select(.shortName=="script-security") | .version'

If the version is 1402.v94c9ce464861 or earlier, the system is vulnerable to this issue.

Mitigation Strategies

The primary mitigation step is to upgrade the Jenkins Script Security Plugin to version 1402.1405.vc96e74964250 or later, where the vulnerability is fixed.

This update rejects any Groovy AST transformation annotations carrying an extensions member during sandbox compilation, preventing sandbox bypass.

Until the plugin is updated, restrict the ability to run sandboxed Groovy scripts to trusted users only, as exploitation requires the ability to run such scripts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57281. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart