CVE-2026-48922 Overview
CVE-2026-48922 affects the Jenkins Credentials Binding Plugin version 720.v3f6decef43ea_ and earlier. The plugin fails to sanitize file names for file and zip file credentials. Attackers who can provide credentials to a job can write files to arbitrary locations on the node filesystem. This path traversal condition can lead to remote code execution when Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used by a job running on the built-in node. The flaw is classified under CWE-20: Improper Input Validation.
Critical Impact
Authenticated users with credential configuration permissions can achieve remote code execution on the Jenkins controller built-in node through arbitrary file write.
Affected Products
- Jenkins Credentials Binding Plugin 720.v3f6decef43ea_
- Jenkins Credentials Binding Plugin earlier versions
- Jenkins controllers using file or zip file credentials on the built-in node
Discovery Timeline
- 2026-05-27 - CVE-2026-48922 published to NVD
- 2026-05-27 - Jenkins Security Advisory SECURITY-3790 released
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-48922
Vulnerability Analysis
The Jenkins Credentials Binding Plugin binds credentials to environment variables and files for use by build jobs. When a job uses file credentials or zip file credentials, the plugin writes the credential contents to the workspace or a temporary directory on the executing node. The plugin derives the destination file name from credential metadata without sanitizing path traversal sequences. An attacker providing crafted credential metadata can include sequences such as ../ to escape the intended directory and write the credential content to an arbitrary filesystem location.
When the job executes on the built-in node, the file write occurs in the context of the Jenkins controller process. Writing to locations such as Jenkins plugin directories, init scripts, or Groovy hook directories enables remote code execution on the controller. The attacker requires permission to provide credentials to a job, which in many environments is granted to low-privileged users.
Root Cause
The root cause is improper input validation [CWE-20] of file name fields associated with file and zip file credential types. The plugin treats the supplied name as a trusted string and concatenates it with a base directory path rather than canonicalizing the result and verifying it remains within the intended directory.
Attack Vector
Exploitation requires network access to Jenkins and authenticated permission to configure file or zip file credentials for a job. The attacker creates a credential whose internal file name contains directory traversal sequences. When a job using the credential runs on the built-in node, the plugin writes attacker-controlled content to an attacker-chosen path. Dropping a Groovy init script or replacing a plugin file yields code execution as the Jenkins controller user.
No verified public exploit code is available. See the Jenkins Security Advisory SECURITY-3790 for additional technical context.
Detection Methods for CVE-2026-48922
Indicators of Compromise
- Unexpected files written outside the Jenkins workspace directory by the Jenkins controller process
- New or modified files in $JENKINS_HOME/init.groovy.d/, $JENKINS_HOME/plugins/, or $JENKINS_HOME/war/
- Credential definitions containing ../, ..\, or absolute paths in the file name field
- Unscheduled Jenkins controller restarts followed by execution of unfamiliar Groovy scripts
Detection Strategies
- Audit all file and zip file credential entries for suspicious characters in the file name attribute
- Monitor filesystem write events on the Jenkins controller for paths outside expected workspace directories
- Review Jenkins audit logs for credential creation and modification events by low-privileged users
- Correlate job executions on the built-in node with subsequent file modifications under $JENKINS_HOME
Monitoring Recommendations
- Enable file integrity monitoring on $JENKINS_HOME, plugin directories, and Groovy init script paths
- Alert on process executions spawned by the Jenkins controller that originate from non-workspace paths
- Track changes to the Credentials Binding Plugin version across the fleet to confirm patch rollout
How to Mitigate CVE-2026-48922
Immediate Actions Required
- Upgrade the Jenkins Credentials Binding Plugin to a version later than 720.v3f6decef43ea_ as specified in the Jenkins security advisory
- Restrict the Credentials/Create and Credentials/Update permissions to trusted administrators only
- Disable execution of jobs on the built-in node and route all builds to dedicated agents
- Audit existing file and zip file credentials for suspicious file names
Patch Information
Jenkins published Security Advisory SECURITY-3790 on 2026-05-27 documenting the fixed plugin version. Administrators should consult the advisory for the exact fixed release identifier and apply the update through the Jenkins Update Center.
Workarounds
- Configure Jenkins to execute builds exclusively on agents and prevent jobs from running on the built-in node
- Remove file and zip file credentials from projects accessible to low-privileged users until the plugin is upgraded
- Apply the principle of least privilege to credential management permissions using role-based access controls
# Configuration example: restrict builds on the built-in node
# In Manage Jenkins > Nodes > Built-In Node > Configure
# Set Number of executors to 0
# Set Usage to "Only build jobs with label expressions matching this node"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
