Fluid Attacks Database

Description

Jenkins has a DNS rebinding vulnerability in WebSocket CLI origin validation Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jenkins-ci.main:jenkins-core	>=2.442 <2.555	2.555

Aliases

1. CVE-2026-330022. NVD-2026-330023. OSV-2026-330024. GCVE-2026-33002

References

1. https://github.com/jenkinsci/jenkins/commit/348666da7136ef8270f88c0a7350562b0ba7f8ce2. https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3674

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.