CVE-2026-53435

Vulnerability

In Jenkins 2.567 and earlier, and LTS 2.555.2 and earlier, attackers can deserialize arbitrary types from a controlled config.xml submission. This vulnerability is enabled by Jenkins' use of XStream for configuration saving and Stapler for HTTP request handling, where specific readResolve methods can be triggered during deserialization to allow subsequent HTTP request handling [1].

Exploitation

Attackers require Overall/Read permission and either a user account or permissions to POST config.xml (e.g., Item/Configure). By submitting a crafted config.xml, an attacker can trigger the deserialization process, leading to the ability to handle HTTP requests afterwards [1].

Impact

Successful exploitation allows attackers to impersonate any user, enabling them to send HTTP requests on their behalf. This can lead to the execution of arbitrary code via the Script Console or the reading of arbitrary files from the Jenkins controller [1].

Mitigation

This vulnerability is fixed in Jenkins 2.568 and LTS 2.555.3. No workarounds are available. Jenkins is not listed on the CISA KEV catalog at this time [1].