In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it...
High severity
Unreviewed
Published
Jun 10, 2026
to the GitHub Advisory Database
•
Updated Jun 30, 2026
Description
Published by the National Vulnerability Database
Jun 10, 2026
Published to the GitHub Advisory Database
Jun 10, 2026
Last updated
Jun 30, 2026
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled
config.xmlsubmission in a way that allows them to handle HTTP requests afterwards.This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.
References