Jenkins disclosed multiple security flaws affecting Jenkins core and the LoadNinja Plugin, with the most detailed reporting describing a high-severity arbitrary file creation issue tracked as CVE-2026-33001 / SECURITY-3657. The flaw affects Jenkins weekly 2.554 and earlier and LTS 2.541.2 and earlier, and stems from unsafe handling of symbolic links during extraction of .tar and .tar.gz archives. A crafted archive can write files outside the intended directory, potentially enabling code execution by placing malicious content in locations such as JENKINS_HOME/init.groovy.d/ or JENKINS_HOME/plugins/, particularly through artifact archiving features on the controller.
Jenkins also reported a high-severity DNS rebinding issue in WebSocket CLI origin validation, tracked as CVE-2026-33002 / SECURITY-3674, while the Canadian Centre for Cyber Security separately amplified the vendor advisory and urged administrators to apply updates. The fixes are available in Jenkins 2.555 and LTS 2.541.3, and exploitation of the archive-handling flaw requires either Item/Configure permission or the ability to control agent processes. Other references in the set cover unrelated vendor advisories from Citrix, VMware, Atlassian, Mitel, GNU, GitHub, and Spring and do not describe the same event.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Later on 2026-03-18, the Canadian Centre for Cyber Security issued alert AV26-255 referencing the Jenkins advisory and urging users and administrators to review the vulnerabilities and apply the necessary updates. This was an official downstream notification amplifying the remediation guidance.
The advisory directed administrators to upgrade Jenkins to version 2.555 or 2.541.3 LTS and update the LoadNinja plugin to version 2.2. For the DNS rebinding issue, Jenkins also recommended temporary mitigations such as enforcing authentication and removing anonymous permissions in affected deployments.
On 2026-03-18, Jenkins published a security advisory covering vulnerabilities in Jenkins weekly 2.554 and earlier, Jenkins LTS 2.541.2 and earlier, and LoadNinja Plugin 2.1 and earlier. The issues included CVE-2026-33001, CVE-2026-33002, CVE-2026-33003, and CVE-2026-33004 affecting CI/CD environments and plugin credential handling.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcecyber.gc.ca
Open sourcejenkins.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.