CVE-2026-33002: Jenkins has a DNS rebinding vulnerability in WebSocket CLI origin validation

March 18, 2026 (updated March 19, 2026)

Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.

References

github.com/advisories/GHSA-phhv-63fh-rrc8
github.com/jenkinsci/jenkins
github.com/jenkinsci/jenkins/commit/348666da7136ef8270f88c0a7350562b0ba7f8ce
nvd.nist.gov/vuln/detail/CVE-2026-33002
www.jenkins.io/security/advisory/2026-03-18/

Code Behaviors & Features

Detect and mitigate CVE-2026-33002 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →