CVE-2026-33001: Jenkins has a link following vulnerability allows arbitrary file creation

March 18, 2026 (updated March 19, 2026)

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

References

github.com/advisories/GHSA-r6qv-frpc-q66c
github.com/jenkinsci/jenkins
github.com/jenkinsci/jenkins/commit/6dc99937605d5bddfeaae43a4cd14c2571e23adc
github.com/jenkinsci/jenkins/releases/tag/jenkins-2.555
nvd.nist.gov/vuln/detail/CVE-2026-33001
www.jenkins.io/security/advisory/2026-03-18/

Code Behaviors & Features

Detect and mitigate CVE-2026-33001 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →