How is CVE-2026-48922 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Jenkins instance across the network to deliver the malicious credential payload. Authentication (required): Any low-privilege account that has permission to configure credentials for a Jenkins job is sufficient; no administrative access is needed. Victim interaction (not-required): No user interaction is required; the attacker triggers the write by supplying the crafted credential directly to the job configuration. Attack complexity (info): Exploitation is rated High complexity, meaning the attacker must account for specific environmental conditions, such as the Jenkins instance being configured to allow low-privileged users to configure file or zip file credentials for jobs running on the built-in node.

What is the impact of CVE-2026-48922?

Attacker writes arbitrary files to any path on the Jenkins node filesystem, overwriting existing files including scripts, configs, or binaries. If the written file lands in a location executed by Jenkins (such as a build script or plugin directory), the attacker achieves remote code execution on the built-in node. Full confidentiality, integrity, and availability of the Jenkins node are at risk: secrets stored on disk can be read, pipeline logic can be altered, and the node can be rendered inoperable. Compromise of the built-in Jenkins node can expose all credentials, pipeline definitions, and build artifacts accessible to that node.

Back to search

HIGHCVE-2026-48922Published 2026-05-27Modified 2026-05-27CNA jenkins

CVE-2026-48922: Jenkins Credentials Binding Plugin 720

Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An arbitrary file write vulnerability exists in the Jenkins Credentials Binding Plugin version 720.v3f6decef43ea_ and earlier. The flaw is reachable over the network by an authenticated low-privilege user who can supply credentials to a Jenkins job, and no victim interaction is required to trigger it. Successful exploitation allows an attacker to write files to arbitrary locations on the node filesystem, which enables remote code execution when the affected job runs on the built-in node. No upstream fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment one becomes available.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-48922 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle the Jenkins Credentials Binding Plugin.

Available

Triage

HarborGuard is capable of scoring this CVE at 7.5 HIGH (CVSS v3.1) and weighting it against each environment's compliance policy to determine urgency; findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without any manual intervention required.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Jenkins instance across the network to deliver the malicious credential payload.
AuthenticationRequired
Any low-privilege account that has permission to configure credentials for a Jenkins job is sufficient; no administrative access is needed.
Victim interactionNot required
No user interaction is required; the attacker triggers the write by supplying the crafted credential directly to the job configuration.
Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must account for specific environmental conditions, such as the Jenkins instance being configured to allow low-privileged users to configure file or zip file credentials for jobs running on the built-in node.

Blast Radius

Attacker writes arbitrary files to any path on the Jenkins node filesystem, overwriting existing files including scripts, configs, or binaries.
If the written file lands in a location executed by Jenkins (such as a build script or plugin directory), the attacker achieves remote code execution on the built-in node.
Full confidentiality, integrity, and availability of the Jenkins node are at risk: secrets stored on disk can be read, pipeline logic can be altered, and the node can be rendered inoperable.
Compromise of the built-in Jenkins node can expose all credentials, pipeline definitions, and build artifacts accessible to that node.

How HarborGuard Handles This

Available on HarborGuard: because no fix version has been published upstream, the platform monitors the Jenkins security advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment an upstream fix is released. In the interim, compensating controls are worth considering: network policy rules that restrict which users and services can reach the Jenkins instance, tightening Jenkins authorization to prevent low-privileged users from configuring file or zip file credentials on jobs that run on the built-in node, and moving sensitive jobs off the built-in node entirely in favor of isolated agent nodes. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual steps once an upstream patch is available. Where compliance policy permits, HarborGuard can also flag any image containing plugin versions at or below 720.v3f6decef43ea_ for immediate review through the standard triage routing.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Jenkins Project / Jenkins Credentials Binding Plugin
≤ 720.v3f6decef43ea_

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Jenkins Security Advisory 2026-05-27