CVE-2026-33002
Jenkins has a DNS rebinding vulnerability in WebSocket CLI origin validation
7.5
HIGH
CVSS 3.1
EPSS 0.07%
Description
Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.
How to fix CVE-2026-33002
To remediate CVE-2026-33002, upgrade the affected package to a fixed version below.
- —upgrade to 2.541.3 or later
- —upgrade to 2.555 or later
Is CVE-2026-33002 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 2.426.3, < 2.541.3, >= 2.542.0, < 2.555.0
- >= 2.442, < 2.555
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |