Jenkins has released fixes in Jenkins 2.568 and Jenkins LTS 2.555.3 for multiple vulnerabilities affecting the automation server, including a high-impact unsafe deserialization flaw tracked as CVE-2026-53435. According to the disclosure, attackers with Overall/Read permission and additional access such as a valid user account or the ability to post config.xml data could trigger deserialization of Jenkins core or plugin types, potentially leading to user impersonation, arbitrary HTTP requests, possible Script Console code execution, and arbitrary file reads from the Jenkins controller. The issues affect Jenkins 2.567 and earlier and Jenkins LTS 2.555.2 and earlier.
The advisory also addresses several additional weaknesses, including open redirect bugs in the login flow, a missing permission check in HTTP endpoints, an unsafe redirect in the "Delegate to servlet container" security realm, a stored XSS issue through offline cause descriptions, and exposure of plaintext secrets through config.xml handling. Organizations running self-managed Jenkins instances should prioritize upgrading to the fixed releases and review controller exposure, user permissions, and configuration handling paths that could allow low-privileged users to reach sensitive functionality.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Defused reported that its honeypots saw exploitation attempts targeting Jenkins CVE-2026-53435 within hours of the June 10 public disclosure. The activity showed the newly disclosed remote code execution flaw was being exploited in the wild shortly after patches were released.
Jenkins disclosed multiple security vulnerabilities affecting Jenkins 2.567 and earlier and Jenkins LTS 2.555.2 and earlier, and released fixes in Jenkins 2.568 and Jenkins LTS 2.555.3. The advisory identified CVE-2026-53435 as the most severe issue, alongside additional flaws including open redirect, missing permission checks, stored XSS, and plaintext secret exposure.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
ccb.belgium.be
Open sourcehkcert.org
Open sourcethecybersecguru.com
Open sourcesecurityonline.info
Open sourcecyber.gc.ca
Open sourcejenkins.io
Open sourceseclists.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.