CVE-2026-33002

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33002
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33002.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33002
Aliases
Downstream
Published
2026-03-18T16:16:28.187Z
Modified
2026-04-16T02:14:29.194604040Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.

References

Affected packages

Git / github.com/jenkinsci/jenkins

Affected ranges

Type
GIT
Repo
https://github.com/jenkinsci/jenkins
Events
Introduced
9ed5f66f62ac5b116357d2f58cb37ca3161c5b60
Fixed
4d8ef2fcf426ba73554572e4a60d4ac937ac5f43
Introduced
10b1b883319ff21bfe742bd0abe225dd12f10c2b
Fixed
bbcc9146ec13f17c4f638461d69df4e509ae0c2d
Database specific 
{
    "versions": [
        {
            "introduced": "2.426.3"
        },
        {
            "fixed": "2.541.3"
        },
        {
            "introduced": "2.442"
        },
        {
            "fixed": "2.555"
        }
    ]
}

Affected versions

jenkins-2.*
jenkins-2.442
jenkins-2.443
jenkins-2.444
jenkins-2.445
jenkins-2.446
jenkins-2.447
jenkins-2.448
jenkins-2.449
jenkins-2.450
jenkins-2.451
jenkins-2.452
jenkins-2.453
jenkins-2.454
jenkins-2.455
jenkins-2.456
jenkins-2.457
jenkins-2.458
jenkins-2.459
jenkins-2.460
jenkins-2.461
jenkins-2.462
jenkins-2.463
jenkins-2.464
jenkins-2.465
jenkins-2.466
jenkins-2.467
jenkins-2.468
jenkins-2.469
jenkins-2.470
jenkins-2.471
jenkins-2.472
jenkins-2.473
jenkins-2.474
jenkins-2.475
jenkins-2.476
jenkins-2.477
jenkins-2.478
jenkins-2.479
jenkins-2.480
jenkins-2.481
jenkins-2.482
jenkins-2.483
jenkins-2.484
jenkins-2.485
jenkins-2.486
jenkins-2.487
jenkins-2.488
jenkins-2.489
jenkins-2.490
jenkins-2.491
jenkins-2.492
jenkins-2.493
jenkins-2.494
jenkins-2.495
jenkins-2.496
jenkins-2.497
jenkins-2.498
jenkins-2.499
jenkins-2.500
jenkins-2.501
jenkins-2.502
jenkins-2.503
jenkins-2.504
jenkins-2.505
jenkins-2.506
jenkins-2.507
jenkins-2.508
jenkins-2.509
jenkins-2.510
jenkins-2.511
jenkins-2.512
jenkins-2.513
jenkins-2.514
jenkins-2.515
jenkins-2.516
jenkins-2.517
jenkins-2.518
jenkins-2.519
jenkins-2.520
jenkins-2.521
jenkins-2.522
jenkins-2.523
jenkins-2.524
jenkins-2.525
jenkins-2.526
jenkins-2.527
jenkins-2.528
jenkins-2.529
jenkins-2.530
jenkins-2.531
jenkins-2.532
jenkins-2.533
jenkins-2.534
jenkins-2.535
jenkins-2.536
jenkins-2.537
jenkins-2.538
jenkins-2.539
jenkins-2.540
jenkins-2.541
jenkins-2.541.1
jenkins-2.541.1-rc
jenkins-2.541.2
jenkins-2.541.2-rc
jenkins-2.541.3-rc
jenkins-2.542
jenkins-2.543
jenkins-2.544
jenkins-2.545
jenkins-2.546
jenkins-2.547
jenkins-2.548
jenkins-2.549
jenkins-2.550
jenkins-2.551
jenkins-2.552
jenkins-2.553
jenkins-2.554

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33002.json"