How is CVE-2026-48921 exploited?

Network reachability (required): The Jenkins controller must be reachable over the network; an attacker interacts with the Pipeline job submission interface remotely. Authentication (required): The attacker must hold at least a low-privilege Jenkins account with enough access to contribute content to a shared library used by a Pipeline job. Victim interaction (not-required): No action by another user or administrator is needed; the attacker exploits the plugin behavior directly through their own pipeline or library contribution. Attack complexity (info): Attack complexity is high, meaning the attacker must satisfy specific conditions, such as controlling the content of a library that is actually consumed by a running Pipeline job, rather than exploiting a simple unconditional code path.

What is the impact of CVE-2026-48921?

Reads arbitrary files from the Jenkins controller filesystem, including private keys, API tokens, and stored credentials. Exposes Jenkins configuration files that may contain connection strings, webhook secrets, or cloud provider credentials. Enables reconnaissance of the controller host's directory structure, aiding follow-on attacks against connected systems.

Back to search

HIGHCVE-2026-48921Published 2026-05-27Modified 2026-05-27CNA jenkins

CVE-2026-48921: Jenkins Pipeline: Groovy Libraries Plugin 797

Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a path-traversal vulnerability via symbolic link abuse in the Jenkins Pipeline: Groovy Libraries Plugin, affecting version 797.v90ea_a_9b_e45a_0 and earlier. The vulnerability is reachable over the network and requires a low-privilege account; an attacker who can control the contents of a shared library used by a Pipeline job can plant symbolic links that cause the Jenkins controller to read and expose files from its own filesystem. Successful exploitation results in full disclosure of arbitrary files on the Jenkins controller, including credentials, configuration secrets, and other sensitive data. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-48921 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Jenkins images in internal registries and CI/CD pipelines. Any image found to carry the affected plugin version is flagged automatically.

Available

Triage

HarborGuard can score this finding at CVSS 7.5 (HIGH) and weight it against each customer environment's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Jenkins Project releases a remediated plugin version. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the upstream fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The Jenkins controller must be reachable over the network; an attacker interacts with the Pipeline job submission interface remotely.
AuthenticationRequired
The attacker must hold at least a low-privilege Jenkins account with enough access to contribute content to a shared library used by a Pipeline job.
Victim interactionNot required
No action by another user or administrator is needed; the attacker exploits the plugin behavior directly through their own pipeline or library contribution.
Attack complexityDetail
Attack complexity is high, meaning the attacker must satisfy specific conditions, such as controlling the content of a library that is actually consumed by a running Pipeline job, rather than exploiting a simple unconditional code path.

Blast Radius

Reads arbitrary files from the Jenkins controller filesystem, including private keys, API tokens, and stored credentials.
Exposes Jenkins configuration files that may contain connection strings, webhook secrets, or cloud provider credentials.
Enables reconnaissance of the controller host's directory structure, aiding follow-on attacks against connected systems.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-48921 is active against all scanned images carrying the Jenkins Pipeline Groovy Libraries Plugin at the affected version range. Because Jenkins Project has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild the moment an upstream remediated version is released. For customers who opt into auto-remediation, that rebuild will be followed by a regression run and a PR opened against affected workloads with no manual steps required. In the interim, compensating controls worth considering include restricting which users can define or modify shared libraries in Jenkins (network-policy isolation of the controller), auditing library repository permissions to limit who can push content that Pipeline jobs consume, and enabling filesystem-level read restrictions on sensitive paths on the Jenkins controller host. HarborGuard will surface the patch availability notification through the same findings inbox used for the original detection.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Jenkins Project / Jenkins Pipeline: Groovy Libraries Plugin
≤ 797.v90ea_a_9b_e45a_0

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Jenkins Security Advisory 2026-05-27