Cyber Resilience

CVE-2026-53435

HighRCE

Published: 10 June 2026

Published
10 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1434 96.2th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-53435 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Jenkins Jenkins. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-53435 is a deserialization vulnerability (CWE-502) affecting Jenkins 2.567 and earlier as well as LTS 2.555.2 and earlier. It allows attackers to supply an attacker-controlled config.xml that causes Jenkins to deserialize arbitrary types from core or plugins, after which the deserialized objects can handle subsequent HTTP requests.

An attacker with permission to submit configuration can leverage the flaw to impersonate any user, issue requests on that user's behalf, execute arbitrary code through the Script Console, or read arbitrary files from the Jenkins controller. The issue carries a CVSS 3.1 base score of 8.8 with network attack vector, low complexity, and low privileges required.

The Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3707 documents the problem. The associated EPSS score has remained flat at 0.0139 with no material increase after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP…

more

requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Direct RCE via deserialization in exposed Jenkins instance enables public app exploitation and scripting interpreter abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

jenkins
jenkins
≤ 2.555.3 · ≤ 2.568

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks attacker-supplied malicious config.xml by requiring validation of all input before deserialization of arbitrary types.

prevent

Restricts the low-privilege config submission permission that the attack requires, limiting the ability to reach the deserialization flaw.

prevent

Enforces strict access control on configuration endpoints so only authorized subjects can submit the config.xml that triggers the vulnerability.

References