Arbitrary File Write Vulnerability in Jenkins (CVE-2026-33001)

Mar 25, 2026 GMT+08:00

I. Overview

Jenkins has released a security advisory, stating that Jenkins 2.554 and earlier versions, as well as LTS 2.541.2 and earlier versions do not properly handle symbolic links during the extraction of .tar and .tar.gz archives. This allows attackers to write files to arbitrary locations in the Jenkins server file system by using specially crafted archives.

Jenkins is an open-source automation server widely used to automate a range of tasks, including building, testing, and deploying software. If you are a Jenkins user, check your versions and implement timely security hardening.

References:

https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III.Affected Products

Affected versions:

Jenkins <= 2.554

Jenkins LTS <= 2.541.2

Secure versions:

Jenkins 2.555

Jenkins LTS 2.541.3

IV. Vulnerability Handling

1. This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://www.jenkins.io/download/

2. Mitigation measures:

If the affected users cannot upgrade to a secure version in time, strictly restrict the assignment of the Item/Configure permission and allow only trusted users to modify the task configuration.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.