CVE-2026-33001 — Jenkins has a link following vulnerability allows arbitrary file creation

Description

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

How to fix CVE-2026-33001

To remediate CVE-2026-33001, upgrade the affected package to a fixed version below.

—upgrade to 2.541.3 or later
—upgrade to 2.555 or later

Is CVE-2026-33001 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.541.3, >= 2.542.0, < 2.555.0
from 0, < 2.555

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-33001
PATCHgithub.com/jenkinsci/jenkins
WEBgithub.com/jenkinsci/jenkins/commit/6dc99937605d5bddfeaae43a4cd14c2571e23adc
WEBgithub.com/jenkinsci/jenkins/releases/tag/jenkins-2.555