CVE-2026-33001 — HIGH (8.8)

Q: How severe is CVE-2026-33001?

CVE-2026-33001 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-33001?

Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Jenkins.

Vulnerability Description

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenkins. This can be exploited to deploy malicious scripts or plugins on the controller by attackers with Item/Configure permission, or able to control agent processes.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Jenkins	Jenkins	< 2.541.3

Related Weaknesses (CWE)

CWE-59

References

https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3657Vendor Advisory

FAQ

What is CVE-2026-33001?

CVE-2026-33001 is a vulnerability with a CVSS score of 8.8 (HIGH). Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locat...

How severe is CVE-2026-33001?

CVE-2026-33001 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-33001?

Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Jenkins.