CVE-2026-53435 Overview
CVE-2026-53435 is an insecure deserialization vulnerability [CWE-502] affecting Jenkins automation server. Jenkins 2.567 and earlier, and LTS 2.555.2 and earlier, deserialize arbitrary types defined in Jenkins core or plugins from attacker-controlled config.xml submissions. The deserialized objects can handle subsequent HTTP requests, enabling attackers to impersonate any user. Successful exploitation lets attackers reach the Script Console to run arbitrary code on the Jenkins controller or read arbitrary files. The Jenkins project disclosed the issue in Security Advisory SECURITY-3707 on June 10, 2026.
Critical Impact
Authenticated attackers can impersonate administrators, execute arbitrary code via the Script Console, and read arbitrary files from the Jenkins controller filesystem.
Affected Products
- Jenkins weekly releases 2.567 and earlier
- Jenkins LTS 2.555.2 and earlier
- Jenkins core and plugin-defined types that participate in config.xml deserialization
Discovery Timeline
- 2026-06-10 - Jenkins publishes Security Advisory SECURITY-3707 and assigns CVE-2026-53435
- 2026-06-10 - CVE-2026-53435 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-53435
Vulnerability Analysis
The flaw resides in how Jenkins processes config.xml submissions. Jenkins deserializes arbitrary Java types declared in core or installed plugins without restricting which classes may be reconstructed. Because the resulting objects can register themselves to handle subsequent HTTP requests, an attacker controls behavior that runs in the context of Jenkins request handling. This permits user impersonation, including users with administrative privileges. Once impersonation succeeds, attackers can drive the Script Console to execute Groovy code on the controller. They can also read files accessible to the Jenkins process, including credentials and secrets stored on disk.
Root Cause
The root cause is unsafe deserialization of attacker-influenced XML payloads. Jenkins accepts config.xml content and reconstructs Java objects without an allowlist restricting which classes are permitted. Gadget chains formed from valid Jenkins or plugin classes then expose request-handling surfaces.
Attack Vector
An attacker submits a crafted config.xml over the network to a Jenkins endpoint that accepts configuration uploads. The required privilege level is low based on the CVSS vector. After the malicious objects are instantiated, the attacker issues follow-up HTTP requests that the deserialized objects handle, escalating to administrative actions and code execution.
No verified public proof-of-concept is referenced in the advisory. See the Jenkins Security Advisory SECURITY-3707 for vendor technical details.
Detection Methods for CVE-2026-53435
Indicators of Compromise
- POST or PUT requests to Jenkins endpoints that accept config.xml from non-administrative accounts, especially containing uncommon Java class references in XML
- Unexpected invocations of the Script Console (/script or /scriptText) shortly after configuration uploads
- Jenkins audit log entries showing privileged actions performed by accounts that did not authenticate interactively
- Outbound network connections or file reads from the Jenkins controller process to sensitive paths such as secrets/, credentials.xml, or users/
Detection Strategies
- Inspect HTTP request bodies sent to Jenkins for config.xml payloads referencing unexpected Java types in XML element names or class attributes
- Correlate config.xml submissions with subsequent authenticated requests that change identity or escalate privileges within a short window
- Hunt in Jenkins logs ($JENKINS_HOME/logs/) for stack traces involving deserialization or reflection during XML parsing
Monitoring Recommendations
- Forward Jenkins access logs, audit logs, and controller process telemetry to a centralized analytics platform for correlation
- Alert on Script Console use outside change-management windows and on read access to $JENKINS_HOME/secrets/
- Track plugin inventory changes and watch for new request-handling endpoints appearing after configuration uploads
How to Mitigate CVE-2026-53435
Immediate Actions Required
- Upgrade Jenkins weekly to a release later than 2.567 and Jenkins LTS to a release later than 2.555.2 as listed in SECURITY-3707
- Restrict network access to the Jenkins controller so only trusted users and CI systems can reach configuration endpoints
- Audit Jenkins user accounts and rotate credentials, API tokens, and SSH keys stored in Jenkins if compromise is suspected
- Review recent config.xml submissions and Script Console activity for unauthorized changes
Patch Information
The Jenkins project published fixed versions alongside Security Advisory SECURITY-3707. Administrators should consult the advisory for the exact fixed weekly and LTS versions and apply the upgrade through their standard Jenkins update channel.
Workarounds
- If patching is delayed, limit access to Jenkins to authenticated administrators only and disable anonymous or low-privilege account creation
- Place Jenkins behind an authenticated reverse proxy that restricts config.xml submission paths to trusted source addresses
- Disable or remove plugins that are not required, reducing the set of types available for deserialization gadgets
# Example: restrict Jenkins controller access at the reverse proxy
# (nginx) - allow only the CI subnet to reach configuration endpoints
location ~ /config\.xml$ {
allow 10.20.30.0/24;
deny all;
proxy_pass http://jenkins_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
