CVE-2026-53435

High PUBLISHED

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins...

Jenkins Project · Jenkins

Not yet in CISA KEV

Exploited in the wild PoC available

Recommended Action

Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.

Confidence
High
Exploitation Status
Exploited in the wild
Observed in Sensors
No
Attempts (30d)
Unique Attacker IPs
CISA KEV
Not yet in CISA KEV
CVSS / EPSS
8.8 High EPSS 14.9%

At a Glance

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.

CVE Published
Jun 10, 2026
Exploitation Reported
Jun 15, 2026
CVSS
8.8 High
EPSS
14.9%
Remote Low complexity No user interaction

Affected Versions

Vendor Product Version Status
Red Hat
OpenShift Developer Tools and Services

jenkins

All versions (default: affected)

Affected
Jenkins Project
Jenkins

2.568 to < *

Unaffected
Jenkins Project
Jenkins

2.555.3 to < 2.555.*

Unaffected

CVE References

Recommended Actions

  • Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.