CVE-2026-48922

Vulnerability

Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials [1]. This allows attackers who can configure such credentials for a job to write files to arbitrary locations on the node filesystem [1]. The code path is reachable when a low-privileged user is permitted to define file or zip file credentials used for a job running on the built-in node [1].

Exploitation

An attacker needs the ability to provide file or zip file credentials to a job [1]. This typically requires a low-privileged Jenkins user with permission to configure credentials for a job that runs on the built-in node [1]. The attacker can craft malicious credentials with unsanitized file names to write files outside the intended credential directory [1]. No additional user interaction is required beyond job execution [1].

Impact

Successful exploitation allows the attacker to write files to arbitrary locations on the node filesystem [1]. If the built-in node is the Jenkins controller, this can lead to remote code execution (RCE) on the controller [1]. The impact includes full compromise of the Jenkins instance, as the attacker could write a malicious plugin or modify scripts to gain code execution [1].

Mitigation

As of the advisory publication date (2026-05-27), no fixed version has been released [1]. Administrators should ensure that only trusted users have permission to configure file or zip file credentials, especially for jobs on the built-in node [1]. They should also consider restricting low-privileged users from creating such credentials until a fix is available [1]. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].