High severityNVD Advisory· Published Mar 18, 2026· Updated Mar 19, 2026
CVE-2026-33001
CVE-2026-33001
Description
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | < 2.555 | 2.555 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/jenkins-2.516pkg:apk/chainguard/jenkins-2.516-openjdk-21pkg:apk/chainguard/jenkins-2.528pkg:apk/chainguard/jenkins-2.528-openjdk-17pkg:apk/chainguard/jenkins-2.541pkg:bitnami/jenkinspkg:maven/org.jenkins-ci.main/jenkins-core
< 2.516.3-r4+ 6 more
- (no CPE)range: < 2.516.3-r4
- (no CPE)range: < 2.516.3-r4
- (no CPE)range: < 2.528.3-r3
- (no CPE)range: < 2.528.3-r3
- (no CPE)range: < 2.541.3-r9
- (no CPE)range: < 2.541.3
- (no CPE)range: < 2.555
- Range: 2.555
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-r6qv-frpc-q66cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33001ghsaADVISORY
- www.jenkins.io/security/advisory/2026-03-18/ghsavendor-advisoryWEB
- github.com/jenkinsci/jenkins/commit/6dc99937605d5bddfeaae43a4cd14c2571e23adcghsaWEB
- github.com/jenkinsci/jenkins/releases/tag/jenkins-2.555ghsaWEB
News mentions
1- Jenkins Security Advisory 2026-03-18Jenkins Security Advisories · Mar 18, 2026