CVE 8.8 HIGH

CVE-2026-53435_CVE-2026-53435

June 10, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards.
This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.

AI Analysis

Deserialization of untrusted data allows attackers to impersonate users and send HTTP requests on their behalf, potentially leading to code execution or file access.

Basic Information

ID CVE-2026-53435

Source jenkins

Published Jun 10, 2026 at 13:05

Modified Jun 10, 2026 at 15:35

Affected Product

Vendor Jenkins Project

Product Jenkins

Version 2.568

CWE Classification

CWE-502

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Jenkins Project

Product Jenkins

Version 2.567 and earlier, LTS 2.555.2 and earlier

References

www.jenkins.io /security/advisory/2026-06-10/

{
    "lastseen": "",
    "description": "In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards.\nThis can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller.",
    "published": "2026-06-10T13:05:57.208Z",
    "modified": "2026-06-10T15:35:44.158Z",
    "type": "cve",
    "title": "CVE-2026-53435",
    "source": "jenkins",
    "references": "https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3707",
    "id": "CVE-2026-53435",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Jenkins",
    "version": "2.568",
    "vendor": "Jenkins Project",
    "ai_description": "Deserialization of untrusted data allows attackers to impersonate users and send HTTP requests on their behalf, potentially leading to code execution or file access.",
    "ai_severity": "High",
    "ai_vendor": "Jenkins Project",
    "ai_product": "Jenkins",
    "ai_version": "2.567 and earlier, LTS 2.555.2 and earlier",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply