CVE-2026-33002
Published: 18 March 2026
Summary
CVE-2026-33002 is a high-severity Reliance on Reverse DNS Resolution for a Security-Critical Action (CWE-350) vulnerability in Jenkins Jenkins. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identifying, reporting, and correcting the specific flaw in Jenkins CLI WebSocket origin validation that relies on untrusted Host or X-Forwarded-Host headers, vulnerable to DNS rebinding.
Mandates validating Origin header inputs at the WebSocket endpoint against trusted criteria independent of spoofable Host headers to block DNS rebinding bypasses.
Enforces boundary protection at external interfaces to monitor and control WebSocket traffic, allowing proxies or WAFs to reject invalid origins or DNS rebinding attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Origin validation flaw (CWE-350) explicitly enables DNS rebinding bypass against the CLI WebSocket endpoint; combined with CVSS UI:R and AC:H, this directly facilitates drive-by compromise from a malicious site that pivots through the victim's browser to reach and control Jenkins.
NVD Description
Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making…
more
it vulnerable to DNS rebinding attacks that allow bypassing origin validation.
Deeper analysisAI
CVE-2026-33002 is a vulnerability in Jenkins versions 2.442 through 2.554 (inclusive) and LTS versions 2.426.3 through 2.541.2 (inclusive) that affects origin validation for requests to the CLI WebSocket endpoint. The software computes the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers (CWE-350: Origin Validation Error), enabling DNS rebinding attacks to bypass this check. Published on 2026-03-18, it has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
Attackers can exploit this remotely over the network without privileges, though it demands high complexity and user interaction. By leveraging DNS rebinding, they bypass origin validation on the CLI WebSocket endpoint, potentially achieving high impacts on confidentiality, integrity, and availability.
Mitigation details are outlined in the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3674.
Details
- CWE(s)