CVE-2026-57281
Modified Modified - Updated After Analysis

Jenkins Script Security Plugin Groovy AST Code Execution

Vulnerability report for CVE-2026-57281, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-30

Assigner: Jenkins Project

Description

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-30
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
jenkins script_security to 1402.v94c9ce464861 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
CWE-917 The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-57281 is a security vulnerability in the Jenkins Script Security Plugin that allows attackers to bypass the sandbox restrictions for Groovy scripts.

The plugin fails to reject Groovy AST transformation annotations that carry an extensions member, such as @CompileStatic and @TypeChecked. This flaw allows Groovy to load and execute a script from the classpath at compile time before the sandbox is applied.

As a result, attackers who can run sandboxed Groovy scripts may be able to execute code outside the sandbox if a suitable script is present on the classpath of the component evaluating the script.

Impact Analysis

This vulnerability can allow an attacker with the ability to run sandboxed Groovy scripts to execute arbitrary code outside the sandbox environment.

Such code execution outside the sandbox can lead to unauthorized actions on the Jenkins server, potentially compromising the system's security and integrity.

However, successful exploitation is considered very unlikely because no dangerous Groovy scripts were found in Jenkins core or plugins.

Detection Guidance

This vulnerability affects Jenkins Script Security Plugin versions 1402.v94c9ce464861 and earlier. Detection involves verifying the installed version of the Script Security Plugin to determine if it is vulnerable.

You can check the installed plugin version within Jenkins by navigating to the Plugin Manager or by using Jenkins CLI or REST API commands.

  • Using Jenkins Script Console or CLI, run a command to list installed plugins and their versions, for example:
  • jenkins-cli.jar -s http://your-jenkins-url/ list-plugins | grep script-security
  • Alternatively, use the Jenkins REST API to query plugin information:
  • curl -s http://your-jenkins-url/pluginManager/api/json?depth=1 | jq '.plugins[] | select(.shortName=="script-security") | .version'

If the version is 1402.v94c9ce464861 or earlier, the system is vulnerable to this issue.

Mitigation Strategies

The primary mitigation step is to upgrade the Jenkins Script Security Plugin to version 1402.1405.vc96e74964250 or later, where the vulnerability is fixed.

This update rejects any Groovy AST transformation annotations carrying an extensions member during sandbox compilation, preventing sandbox bypass.

Until the plugin is updated, restrict the ability to run sandboxed Groovy scripts to trusted users only, as exploitation requires the ability to run such scripts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57281. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart