CVE-2026-33002 in Jenkins
Summary
by MITRE • 03/18/2026
Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
This vulnerability affects Jenkins versions ranging from 2.442 through 2.554 in the standard release line and LTS versions from 2.426.3 through 2.541.2 in the long term support release line. The core issue lies within the CLI WebSocket endpoint implementation where the system performs origin validation by relying on either the Host header or the X-Forwarded-Host HTTP request headers to determine the expected origin for comparison purposes. This validation mechanism creates a critical security flaw that allows attackers to bypass the intended origin checks through DNS rebinding attacks. The vulnerability stems from the fact that the system does not properly validate the DNS resolution of the hostnames provided in these headers, instead accepting them at face value without additional verification mechanisms.
The technical exploitation of this vulnerability occurs through DNS rebinding techniques where an attacker controls the DNS resolution of a hostname that appears in the Host or X-Forwarded-Host headers. When Jenkins processes these headers for origin validation, it accepts the hostname as legitimate without performing proper DNS validation or checking against expected values. This allows an attacker to establish a WebSocket connection that appears to originate from an authorized domain while actually being controlled by the attacker. The attack works because the system trusts the headers without verifying that the resolved IP addresses match expected values or that the DNS resolution is legitimate.
The operational impact of this vulnerability is significant as it allows unauthorized access to Jenkins CLI functionality through WebSocket connections. Attackers can potentially execute arbitrary commands on the Jenkins server with the privileges of the Jenkins user, leading to complete system compromise. The vulnerability specifically targets the CLI WebSocket endpoint which provides administrative access to Jenkins functionality, making it a high-value target for attackers seeking to gain persistent access to build servers and CI/CD pipelines. This weakness enables attackers to bypass authentication mechanisms and perform operations that should only be accessible to authorized administrators.
Organizations should immediately upgrade to Jenkins versions 2.555 or later for the standard release line and LTS versions 2.542.1 or later to remediate this vulnerability. The fix involves implementing proper origin validation that does not rely solely on HTTP headers without additional DNS verification steps. Security teams should also consider implementing network-level controls such as firewall rules that restrict access to the CLI WebSocket endpoint to trusted IP ranges, though this should not be considered a substitute for the proper software fix. Additionally, monitoring for unusual WebSocket connections and implementing proper logging of CLI access attempts can help detect potential exploitation attempts. This vulnerability aligns with CWE-284 Access Control Issues and represents a specific implementation of insecure input validation that enables unauthorized access through protocol-level weaknesses. The attack pattern follows the ATT&CK technique T1071.004 Application Layer Protocol: Web Protocols, specifically targeting WebSocket communication channels for privilege escalation and lateral movement within Jenkins environments.