CVE-2026-48921 Overview
CVE-2026-48921 affects the Jenkins Pipeline: Groovy Libraries Plugin version 797.v90ea_a_9b_e45a_0 and earlier. The plugin does not prohibit symbolic links in shared libraries used by Pipeline jobs. Attackers who can control the content of a shared library can place symlinks that resolve to arbitrary files on the Jenkins controller filesystem. When the Pipeline job processes the library, it reads files outside the intended library directory and exposes their contents. The flaw is categorized as a link-following weakness [CWE-59].
Critical Impact
Authenticated attackers with library write access can read arbitrary files on the Jenkins controller, including credentials, secrets, and configuration data.
Affected Products
- Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier
- Jenkins controllers consuming attacker-controlled shared libraries
- Pipeline jobs referencing libraries from untrusted sources
Discovery Timeline
- 2026-05-27 - CVE CVE-2026-48921 published to NVD
- 2026-05-27 - Jenkins Security Advisory SECURITY-3727 released
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-48921
Vulnerability Analysis
The Pipeline: Groovy Libraries Plugin retrieves shared libraries from configured sources and makes their contents available to Pipeline jobs at build time. The plugin reads files from the library checkout when Pipeline steps reference them. The plugin does not validate whether files inside the library are regular files or symbolic links. An attacker who controls a library source can commit a symbolic link pointing to any path readable by the Jenkins controller process. When the Pipeline consumes that link, the controller dereferences it and returns the target file's contents to the build.
This exposes sensitive controller data such as secrets.key, credentials.xml, SSH keys under $JENKINS_HOME, and arbitrary paths like /etc/passwd. The issue maps to CWE-59: Improper Link Resolution Before File Access.
Root Cause
The plugin lacks symlink filtering when materializing shared library content. File access operations resolve symbolic targets without confirming that the resolved path remains inside the library root directory.
Attack Vector
Exploitation requires the attacker to control a Pipeline shared library, typically through write access to the source code management repository backing that library. The attacker commits a symlink, then triggers or waits for a Pipeline job to load the library. The job reads the symlink target, returning controller filesystem contents through build logs or downstream Pipeline steps.
The vulnerability manifests at the file resolution layer of the shared library loader. Refer to the Jenkins Security Advisory #SECURITY-3727 for the technical breakdown.
Detection Methods for CVE-2026-48921
Indicators of Compromise
- Pipeline build logs containing contents of files outside the library directory, such as /etc/passwd or $JENKINS_HOME/secrets/
- Recent commits to shared library repositories that add symbolic links instead of regular files
- Unusual readFile or libraryResource step usage referencing paths that resolve outside expected locations
Detection Strategies
- Audit shared library repositories for symbolic links using git ls-files -s and filter on mode 120000
- Review Jenkins controller audit logs for Pipeline jobs reading credential or secret files during library evaluation
- Correlate build console output against expected library file contents to identify exfiltration of controller data
Monitoring Recommendations
- Monitor write activity to repositories backing trusted shared libraries and alert on symlink additions
- Track Pipeline jobs that reference libraries from sources with broad contributor access
- Alert on file read operations from $JENKINS_HOME/secrets/ or $JENKINS_HOME/credentials.xml originating from build processes
How to Mitigate CVE-2026-48921
Immediate Actions Required
- Upgrade the Pipeline: Groovy Libraries Plugin to the version released in Jenkins Security Advisory SECURITY-3727
- Restrict write access to repositories backing trusted shared libraries to vetted maintainers only
- Rotate Jenkins controller credentials and secrets if exposure through Pipeline builds is suspected
Patch Information
Jenkins released a fixed version of the Pipeline: Groovy Libraries Plugin that rejects symbolic links during library checkout. Apply the update from the Jenkins Update Center. See the Jenkins Security Advisory #SECURITY-3727 for fixed version details.
Workarounds
- Move shared libraries to repositories with strict access controls and mandatory code review
- Disable untrusted Pipeline libraries by removing global library configurations that point to attacker-influenced sources
- Inspect existing library repositories for symbolic links and remove any that resolve outside the library root
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
