CVE-2026-53435
Published: 10 June 2026
Summary
CVE-2026-53435 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Jenkins Jenkins. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-53435 is a deserialization vulnerability (CWE-502) affecting Jenkins 2.567 and earlier as well as LTS 2.555.2 and earlier. It allows attackers to supply an attacker-controlled config.xml that causes Jenkins to deserialize arbitrary types from core or plugins, after which the deserialized objects can handle subsequent HTTP requests.
An attacker with permission to submit configuration can leverage the flaw to impersonate any user, issue requests on that user's behalf, execute arbitrary code through the Script Console, or read arbitrary files from the Jenkins controller. The issue carries a CVSS 3.1 base score of 8.8 with network attack vector, low complexity, and low privileges required.
The Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3707 documents the problem. The associated EPSS score has remained flat at 0.0139 with no material increase after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-36019
Vulnerability details
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP…
more
requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via deserialization in exposed Jenkins instance enables public app exploitation and scripting interpreter abuse.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks attacker-supplied malicious config.xml by requiring validation of all input before deserialization of arbitrary types.
Restricts the low-privilege config submission permission that the attack requires, limiting the ability to reach the deserialization flaw.
Enforces strict access control on configuration endpoints so only authorized subjects can submit the config.xml that triggers the vulnerability.