Critical Jenkins Vulnerabilities Expose CI/CD Servers to RCE Attacks

A critical security advisory has been released, detailing multiple high-severity vulnerabilities within Jenkins core and the LoadNinja plugin.

Issued on March 18, 2026, the alert warns that these flaws could allow attackers to execute arbitrary code and fully compromise continuous integration and continuous deployment pipelines.​

The most severe flaw, tracked as CVE-2026-33001, stems from how Jenkins handles symbolic links when extracting .tar and .tar.gz archives.

Attackers with item configuration permissions can craft malicious archives to write files to arbitrary locations on the file system.

Because this extraction occurs directly on the controller, threat actors can write malicious scripts to the init. groovy.d/ directory or deploy rogue plugins to the plugins/ folder.

This ultimately grants complete remote code execution capabilities. Features like the “Archive the artifacts” post-build action and specific pipeline steps heavily rely on this vulnerable functionality.​

WebSocket Hijacking Vulnerability

A second high-severity vulnerability, identified as CVE-2026-33002, involves a DNS rebinding flaw within the WebSocket command-line interface origin validation.

Jenkins relies on HTTP request headers to compute expected origins. Attackers can bypass this validation by tricking a victim into visiting a malicious website that resolves to the Jenkins controller’s IP address.

This establishes an unauthorized WebSocket connection to the CLI endpoint. If the Jenkins environment allows anonymous user permissions and operates over plain HTTP, attackers can execute CLI commands.

 Depending on the anonymous user’s access level, this can result in Groovy scripting execution and subsequent remote code execution.​

Plugin Exposes API Keys

In addition to the core vulnerabilities, the advisory highlighted a medium-severity issue within the LoadNinja Plugin.

Tracked under CVE-2026-33003 for insecure storage and CVE-2026-33004 for a lack of masking, the plugin historically stored API keys in an unencrypted format within job configuration files.

Furthermore, the configuration interface failed to mask these credentials, leaving them exposed to any user with extended read permissions or file system access.​

According to the Jenkins Project security advisory, admins must upgrade to Jenkins 2.555 (weekly) or 2.541.3 (LTS), and update the LoadNinja plugin to v2.2 if immediate patching isn’t possible.

Organizations can implement temporary workarounds for the DNS rebinding flaw by configuring strict authentication for the controller and entirely removing permissions for the anonymous user.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.