Critical Jenkins flaws put CI servers at risk

Jenkins published a security advisory on March 18, 2026 that groups three issues including CVE‑2026‑33001 and identifies affected releases as Jenkins ≤ 2.554 and LTS ≤ 2.541.2 with fixes available in Jenkins 2.555 and LTS 2.541.3. (github.com) The highest‑impact issue is a symlink path‑traversal in TAR/.tar.gz extraction that lets an attacker craft archives to write files anywhere the Jenkins service account can write, enabling planting of Groovy init scripts for controller takeover. (nvd.nist.gov) A separate WebSocket CLI flaw can be abused via DNS rebinding to escalate access to the controller UI, and the LoadNinja plugin (≤2.1) was found storing API keys in plaintext in job config.xml files, increasing immediate credential‑exfiltration risk. (github.com) Exploitation paths documented by multiple vendors require Item/Configure or Agent‑level privileges or control over agent processes, and successful exploitation is bounded only by the filesystem permissions of the Jenkins process. (openwall.com) Immediate technical actions in advisories and vendor guidance are to apply the Jenkins 2.555 / LTS 2.541.3 patches, update or remove LoadNinja plugin instances (≤2.1), rotate any API keys found in config.xml, and follow CloudBees guidance for controller lifecycle and managed/isolated controller deployment. (rapid7.com) Architectural mitigations called out in the disclosures include removing artifact archival from the controller filesystem (archiveArtifacts/ archive steps), shifting artifact storage to a proxy/repository, segregating team controllers, and enforcing least privilege on Item/Configure and Agent permissions. (openwall.com) Hunt and incident‑response indicators named in vendor writeups include unexpected files or init scripts under JENKINS_HOME (init.groovy.d), plaintext LoadNinja keys in job config.xml, and anomalous DNS/WebSocket patterns consistent with rebinding probes; advisories map these to immediate detection rules. (tenable.com)