CVE-2026-33002
CVE-2026-33002
In short
Jenkins versions 2.442-2.554 and LTS 2.426.3-2.541.2 have a flaw in how they validate request origins on the CLI WebSocket endpoint, allowing attackers to trick the system using DNS rebinding to bypass security checks.
Technical detail
The vulnerability exists in origin validation logic for the CLI WebSocket endpoint, which relies on the Host or X-Forwarded-Host headers to compute expected origins. An attacker can exploit DNS rebinding to cause the victim's browser to resolve a malicious domain to Jenkins' IP address, bypassing origin validation and enabling unauthorized command execution through the WebSocket interface.
Summary generated and translated by AI from the official description.
Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
Jenkins Project · JenkinsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →