The Jenkins project has sent out a critical security warning about several flaws in its core automation server and the LoadNinja plugin. These flaws make CI/CD environments vulnerable to serious attacks, such as arbitrary file creation, credential leakage, and remote code execution (RCE). Jenkins is a key part of enterprise build pipelines, and it is often used with elevated privileges.

If attackers were able to successfully exploit it, they could move around internal systems, change builds, or completely take over production workflows. Security teams are strongly urged to patch as soon as possible to lower the risk. Archive Extraction Bug Breaks Down the Whole System CVE-2026-33001 is the most serious problem. It affects Jenkins core versions 2.554 and LTS 2.541.2 and earlier.

The flaw comes from not handling symbolic links correctly when extracting .tar and .tar.gz files.

Attackers can get around the intended directory boundaries and write files to any place on the Jenkins controller by making a malicious archive with symlinks. The only thing that limits this is the file permissions that the operating system gives to the Jenkins service account. In real-life attacks, a user who can set up jobs or change how agents work can use the "Archive the artifacts" post-build action to their advantage.

This lets bad files be written into important folders like JENKINS_HOME/init.groovy.d/ or JENKINS_HOME/plugins/. These files can run Groovy scripts controlled by the attacker or load malicious plugins once they are in place. This can lead to full remote code execution when Jenkins restarts or processes the injected components.

CVE-2026-33002 is another serious vulnerability that affects Jenkins' WebSocket-based CLI endpoint. It is a DNS rebinding attack that gets around origin validation protections. The problem is that Jenkins uses the Host or X-Forwarded-Host HTTP headers to check where a request came from.

Important Jenkins Security Flaws Allow Remote Code Execution on CI/CD Servers, which can be changed. Attackers can take advantage of this flaw by tricking people into going to a bad website that does DNS rebinding and points to the internal IP address of a Jenkins controller. This method lets WebSocket connections from untrusted sources that aren't authorized. When Jenkins is available over HTTP and anonymous users have higher permissions, attackers can run administrative CLI commands.

This access can quickly turn into full remote code execution because Jenkins CLI supports Groovy execution through the groovy and groovysh commands. This gives the attacker full control over the server. The advisory also points out two medium-severity flaws in the LoadNinja plugin, which are known as CVE-2026-33003 and CVE-2026-33004.

Versions 2.1 and earlier keep API keys in plain text in job config.xml files on the controller. The plugin also doesn't hide these credentials in the Jenkins UI, so users with extended read permissions can see them. This makes it easy to collect credentials, which could be used to get into external testing platforms or to move deeper into business environments. Jenkins has put out fixes for all of the problems that have been reported.

Administrators should upgrade right away to version 2.555 or LTS 2.541.3. This version adds strict validation for archive extraction and checks the origin of the Jenkins URL that has been set up. If you use LoadNinja, you need to upgrade to plugin version 2.2 to make sure that API keys are properly encrypted and hidden.

When immediate patching isn't possible, businesses should take steps to protect themselves: Make sure that all Jenkins instances require authentication. Take away all permissions that anonymous users have. Limit access to deployments that only use HTTPS. Check the roles and job configuration rights of users.

These weaknesses show that CI/CD infrastructure is still a valuable target, and even small mistakes in configuration or validation can lead to a full system compromise. Make ZeroOwl your favorite source in Google.