High severityNVD Advisory· Published Mar 18, 2026· Updated Mar 19, 2026
CVE-2026-33002
CVE-2026-33002
Description
Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | >= 2.442, < 2.555 | 2.555 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/jenkins-2.516pkg:apk/chainguard/jenkins-2.516-openjdk-21pkg:apk/chainguard/jenkins-2.528pkg:apk/chainguard/jenkins-2.528-openjdk-17pkg:apk/chainguard/jenkins-2.541pkg:bitnami/jenkinspkg:maven/org.jenkins-ci.main/jenkins-core
< 2.516.3-r4+ 6 more
- (no CPE)range: < 2.516.3-r4
- (no CPE)range: < 2.516.3-r4
- (no CPE)range: < 2.528.3-r3
- (no CPE)range: < 2.528.3-r3
- (no CPE)range: < 2.541.3-r2
- (no CPE)range: >= 2.426.3, < 2.541.3
- (no CPE)range: >= 2.442, < 2.555
- Range: 0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-phhv-63fh-rrc8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33002ghsaADVISORY
- www.jenkins.io/security/advisory/2026-03-18/ghsavendor-advisoryWEB
- github.com/jenkinsci/jenkins/commit/348666da7136ef8270f88c0a7350562b0ba7f8ceghsaWEB
News mentions
1- Jenkins Security Advisory 2026-03-18Jenkins Security Advisories · Mar 18, 2026