Unrated severityNVD Advisory· Published May 27, 2026

CVE-2026-48921

Description

Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Pipeline: Groovy Libraries plugin 797.v90ea_a_9b_e45a_0 and earlier allows symbolic links in shared libraries, letting attackers read arbitrary files on the controller filesystem.

Vulnerability

Jenkins Pipeline: Groovy Libraries Plugin versions 797.v90ea_a_9b_e45a_0 and earlier do not prohibit symbolic links in shared libraries [1]. This allows attackers who can control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem [1]. The vulnerability arises because the plugin follows symbolic links when extracting or loading library content, bypassing intended access controls.

Exploitation

An attacker requires the ability to control the content of a shared library that is subsequently used by a Pipeline job [1]. This could be achieved by having commit access to the SCM repository hosting the library, or by being able to upload a malicious library archive if the Jenkins instance allows such operations. The attacker crafts the library to include a symbolic link pointing to an arbitrary file path on the controller filesystem (e.g., /etc/passwd or Jenkins secrets). When a Pipeline job using that library runs, the plugin follows the symbolic link and reads the target file, making its content available to the attacker, for example through error messages, build logs, or other output channels.

Impact

Successful exploitation allows the attacker to read arbitrary files on the Jenkins controller filesystem [1]. This can lead to disclosure of sensitive information such as Jenkins credentials, configuration files, secret keys, and other confidential data stored on the controller. The attacker does not gain direct code execution from this vulnerability alone, but the information disclosure can be leveraged for further attacks (e.g., credential theft leading to remote code execution).

Mitigation

Jenkins has released Pipeline: Groovy Libraries Plugin version 799.vc9ef06c56b_d7 which fixes this issue by disallowing symbolic links in shared libraries [1]. Users should upgrade to this version or later. As of the advisory date (2026-05-27), no workaround is documented for versions that cannot be updated [1]. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog.

References

Jenkins Security Advisory 2026-05-27

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Jenkins Project/Pipeline Groovy Libraries Plugininferred2 versions
<=797.v90ea_a_9b_e45a_0+ 1 more
- (no CPE)range: <=797.v90ea_a_9b_e45a_0
- (no CPE)range: <=797.v90ea_a_9b_e45a_0

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

www.jenkins.io/security/advisory/2026-05-27/nvd

News mentions

Jenkins Security Advisory 2026-05-27
Jenkins Security Advisories · May 27, 2026

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000