How is CVE-2026-53435 exploited?

Network reachability (required): The attacker must reach the Jenkins HTTP interface over the network to submit the malicious config.xml payload. Authentication (required): Any low-privilege Jenkins account is sufficient; no administrative credentials are needed to trigger the deserialization. Victim interaction (not-required): No victim action is needed; the attacker submits the payload directly without requiring any user to click or approve anything. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special memory layout are required to deliver the payload.

What is the impact of CVE-2026-53435?

The attacker can impersonate any Jenkins user, including administrators, and issue authenticated HTTP requests on their behalf. Using the impersonated session, the attacker can access the Script Console and run arbitrary code on the Jenkins controller host. The attacker can read arbitrary files from the Jenkins controller filesystem, including credentials, secrets, and pipeline configuration files. All confidentiality, integrity, and availability of the Jenkins controller and its stored build data are compromised.

Back to search

HIGHCVE-2026-53435Published 2026-06-10Modified 2026-06-11CNA jenkins

CVE-2026-53435: In Jenkins 2

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 2.555.3
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a deserialization vulnerability in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier). An authenticated attacker with any level of access can submit a crafted config.xml file that causes Jenkins to deserialize attacker-controlled types, which then handle live HTTP requests. Successful exploitation lets the attacker impersonate any user, execute arbitrary code via the Script Console, or read arbitrary files from the Jenkins controller. A patched-image rebuild is available on HarborGuard for environments running an affected version, targeting fix versions 2.555.3 or 2.568.

HarborGuard Coverage

Detection

Detection of CVE-2026-53435 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Jenkins images in private registries and CI/CD pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (High) and weighting it against each environment's compliance policy to prioritize routing. Triage findings can be directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild targeting Jenkins 2.555.3 (LTS) or 2.568 (weekly) is available on HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Jenkins HTTP interface over the network to submit the malicious config.xml payload.
AuthenticationRequired
Any low-privilege Jenkins account is sufficient; no administrative credentials are needed to trigger the deserialization.
Victim interactionNot required
No victim action is needed; the attacker submits the payload directly without requiring any user to click or approve anything.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special memory layout are required to deliver the payload.

Blast Radius

The attacker can impersonate any Jenkins user, including administrators, and issue authenticated HTTP requests on their behalf.
Using the impersonated session, the attacker can access the Script Console and run arbitrary code on the Jenkins controller host.
The attacker can read arbitrary files from the Jenkins controller filesystem, including credentials, secrets, and pipeline configuration files.
All confidentiality, integrity, and availability of the Jenkins controller and its stored build data are compromised.

How HarborGuard Handles This

Available on HarborGuard: images running Jenkins 2.567 or earlier and LTS 2.555.2 or earlier are flagged as affected, and a patched rebuild at 2.555.3 (LTS) or 2.568 (weekly) is available for deployment. For customers with auto-remediation enabled, HarborGuard performs the image rebuild, runs the configured regression suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a full diff are surfaced in the HarborGuard dashboard for reviewer action. Given that exploitation requires only a low-privilege account and yields remote code execution, treating this as an urgent rebuild is advisable for any environment where Jenkins is exposed to internal or external users.

See how HarborGuard automates this

Fix available

2.555.32.568

Affected packages

Jenkins Project / Jenkins
Fixed in 2.568, 2.555.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Jenkins Security Advisory 2026-06-10

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available