Cyber Resilience

CVE-2026-33001

HighUpdated

Published: 18 March 2026

Published
18 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0075 50.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33001 is a high-severity Link Following (CWE-59) vulnerability in Jenkins Jenkins. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33001 is a file symlink vulnerability (CWE-59) in Jenkins versions 2.554 and earlier, including LTS 2.541.2 and earlier. The issue arises from the software's failure to safely handle symbolic links during the extraction of .tar and .tar.gz archives. This allows crafted archives to write files to arbitrary locations on the filesystem, with access restricted only by the permissions of the user running Jenkins. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-18.

Attackers with Item/Configure permission on a Jenkins item, or those able to control agent processes, can exploit this flaw by supplying malicious .tar or .tar.gz archives. Successful exploitation enables deployment of malicious scripts or plugins directly on the Jenkins controller, potentially leading to full compromise depending on the attacker's goals and the system's configuration.

The official Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657 provides guidance on mitigation, including details on affected versions and recommended patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access…

more

permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE enables exploitation of public-facing Jenkins application (T1190) via symlink in archives for arbitrary file writes, facilitating privilege escalation from Item/Configure permissions to controller compromise (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27099Same product: Jenkins Jenkins
CVE-2026-33002Same product: Jenkins Jenkins
CVE-2026-42520Same vendor: Jenkins
CVE-2026-48921Same vendor: Jenkins
CVE-2026-48922Same vendor: Jenkins
CVE-2025-24398Same vendor: Jenkins
CVE-2025-24399Same vendor: Jenkins
CVE-2026-42523Same vendor: Jenkins
CVE-2025-49739Shared CWE-59
CVE-2025-21419Shared CWE-59

Affected Assets

jenkins
jenkins
≤ 2.541.3 · ≤ 2.555

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely patching and remediation of known flaws like CVE-2026-33001 in Jenkins archive extraction.

prevent

Requires validation of inputs such as .tar/.tar.gz archives to prevent unsafe symbolic link handling and arbitrary file writes.

prevent

Enforces least privilege for the Jenkins process user, restricting the scope of arbitrary file writes during exploitation.

References