Critical Jenkins Vulnerabilities Expose CI/CD Servers to RCE Attacks

Jenkins flaws put CI/CD servers at risk A very important security advisory that talks about several very serious security holes in Jenkins core and the LoadNinja plugin This article explores jenkins flaws ci. . The alert, which came out on March 18, 2026, says that these flaws could let attackers run any code and completely take over continuous integration and continuous deployment pipelines.

CVE-2026-33001 is the most serious flaw, and it has to do with how Jenkins handles symbolic links when it extracts .tar and .tar.gz archives. If an attacker has permission to change item configurations, they can make malicious archives that write files to random places on the file system. This extraction happens directly on the controller, which means that hackers can write bad scripts to the init. groovy.d/ directory or put bad plugins in the plugins/ folder.

In the end, this gives full access to run code remotely.

This weak feature is very important for things like the "Archive the artifacts" post-build action and certain pipeline steps. WebSocket Hijacking Flaw Another serious vulnerability, CVE-2026-33002, is a DNS rebinding flaw in the WebSocket command-line interface's origin validation. Jenkins uses HTTP request headers to figure out what the expected origins are.

Attackers can get around this check by getting a victim to go to a bad website that points to the Jenkins controller's IP address. This makes an unauthorized WebSocket connection to the CLI endpoint. Attackers can run CLI commands if the Jenkins environment lets anonymous users have permissions and works over plain HTTP. This could lead to Groovy scripts running and then remote code running, depending on the anonymous user's level of access.

Plugin Shows API Keys Along with the main vulnerabilities, the advisory pointed out a medium-severity problem with the LoadNinja Plugin. The plugin used to store API keys in job configuration files in an unencrypted format. It is now tracked under CVE-2026-33003 for insecure storage and CVE-2026-33004 for a lack of masking.

Also, the configuration interface didn't hide these credentials, so anyone with extended read permissions or access to the file system could see them. The Jenkins Project security advisory says that if admins can't patch right away, they need to upgrade to Jenkins 2.555 (weekly) or 2.541.3 (LTS) and the LoadNinja plugin to v2.2. Organizations can use temporary fixes for the DNS rebinding flaw by setting up strict authentication for the controller and taking away all permissions from the anonymous user.

, LinkedIn, and X for daily news about cybersecurity. Get in touch with us to have your stories featured.