Jenkins Core Vulnerabilities: Deserialization, Open Redirects, and Permission Issues Plague Older Versions
Jenkins has released a security advisory detailing multiple vulnerabilities in its core, including critical deserialization flaws, open redirect bugs, and permission check bypasses, affecting versions prior to 2.568 and LTS 2.555.3.
Jenkins has issued a critical security advisory detailing a series of vulnerabilities affecting its core software, with significant implications for users running older versions. The advisory, released on June 10, 2026, highlights six distinct security flaws, including a high-severity deserialization vulnerability (CVE-2026-53435) that could allow attackers to execute arbitrary code or read sensitive files.
The primary deserialization vulnerability stems from Jenkins' use of serialization and deserialization mechanisms, particularly in agent/controller communication via the Remoting library and for saving configuration data using XStream. While Jenkins employs a custom deserialization filter (JEP-200) to mitigate common risks, attackers could exploit behavior in #readResolve methods during deserialization. In Jenkins versions 2.567 and earlier, and LTS versions 2.555.2 and earlier, an attacker with Overall/Read permission and user account access, or specific configuration permissions, could submit a crafted config.xml file. This would allow Jenkins to deserialize arbitrary types, enabling the attacker to impersonate users, send HTTP requests on their behalf, and potentially gain full control via the Script Console, or read arbitrary files from the Jenkins controller.
Beyond the critical deserialization flaw, the advisory also addresses several medium-severity vulnerabilities. Two open redirect vulnerabilities (CVE-2026-53436 and CVE-2026-53437) were found in the default login flow. These flaws could be exploited by manipulating URLs with relative path segments or tab/newline characters, leading users to attacker-controlled domains. Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, are affected by these issues, which are resolved in Jenkins 2.568 and LTS 2.555.3 by stripping problematic characters and rejecting URLs containing //.
Further vulnerabilities include a missing permission check that allows unauthorized cancellation of queue items (CVE-2026-53438). Attackers with Item/Cancel permission but lacking Item/Read permission could cancel queue items they are not authorized to view. Similarly, missing permission checks in other HTTP endpoints (CVE-2026-53439) allow users with Overall/Read permission to enumerate other users' timezones and view names for their "My Views." These permission-related issues are fixed in the updated versions by implementing the necessary Item/Read checks.
Another open redirect vulnerability (CVE-2026-53440) was identified in the "Delegate to servlet container" security realm. Older versions failed to properly validate the from parameter after login, enabling phishing attacks by redirecting users to malicious sites. This is addressed in the latest releases by ensuring the from parameter is safe.
Additionally, a stored cross-site scripting (XSS) vulnerability (CVE-2026-53441) affects the description of why a node is offline. In Jenkins 2.483 through 2.567, and LTS 2.555.2, user-provided descriptions for generic offline causes could contain unescaped HTML, leading to XSS attacks for users with Agent/Configure permission. The fix involves rendering all default UI offline cause descriptions as plain text.
Finally, a medium-severity vulnerability (CVE-2026-53442) relates to plaintext secrets being persisted and served via config.xml endpoints. In affected versions, secrets submitted via POST config.xml are written to disk and then served directly by GET config.xml requests, exposing them to users with Item/Extended Read permission. The updated Jenkins versions rectify this by ensuring sensitive information is not directly persisted or served in this manner.
Jenkins strongly advises all users to update to the patched versions, Jenkins 2.568 or LTS 2.555.3, as soon as possible to mitigate these risks. The company emphasizes that these vulnerabilities require specific permissions or user interactions to exploit, but the potential impact, especially from the deserialization flaw, warrants immediate attention.