CVE-2026-33001

High

Published: 18 March 2026

Published

18 March 2026

Modified

20 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 45.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33001 is a high-severity Link Following (CWE-59) vulnerability in Jenkins Jenkins. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely patching and remediation of known flaws like CVE-2026-33001 in Jenkins archive extraction.

SI-10 Information Input Validation good match

prevent

Requires validation of inputs such as .tar/.tar.gz archives to prevent unsafe symbolic link handling and arbitrary file writes.

AC-6 Least Privilege partial match

prevent

Enforces least privilege for the Jenkins process user, restricting the scope of arbitrary file writes during exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing Jenkins application (T1190) via symlink in archives for arbitrary file writes, facilitating privilege escalation from Item/Configure permissions to controller compromise (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access…

permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

Deeper analysisAI

CVE-2026-33001 is a file symlink vulnerability (CWE-59) in Jenkins versions 2.554 and earlier, including LTS 2.541.2 and earlier. The issue arises from the software's failure to safely handle symbolic links during the extraction of .tar and .tar.gz archives. This allows crafted archives to write files to arbitrary locations on the filesystem, with access restricted only by the permissions of the user running Jenkins. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-18.

Attackers with Item/Configure permission on a Jenkins item, or those able to control agent processes, can exploit this flaw by supplying malicious .tar or .tar.gz archives. Successful exploitation enables deployment of malicious scripts or plugins directly on the Jenkins controller, potentially leading to full compromise depending on the attacker's goals and the system's configuration.

The official Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657 provides guidance on mitigation, including details on affected versions and recommended patches.