Jenkins Credentials Binding Plugin, Path Traversal Vulnerability, CVE-2026-48922 (High) -DC-May2026-2

Listen to this Post

CVE-2026-48922 is a path traversal flaw in the Jenkins Credentials Binding Plugin (versions ≤720.v3f6decef43ea_). The plugin fails to properly sanitize file names for `file` and `zip file` credentials. An attacker who can supply a credential to a job can craft a malicious file name containing directory traversal sequences (e.g., ../../). When the plugin writes the credential file to the build node’s filesystem, it uses the unsanitized name, allowing the attacker to place the file at an arbitrary location on the node.
If Jenkins is configured such that a low‑privileged user is allowed to configure `file` or `zip file` credentials for a job running on the built‑in node, the attacker can write a file anywhere on that node’s filesystem. Because the built‑in node typically executes job steps, the attacker can place an executable payload (e.g., a script or binary) in a location that will be invoked by a subsequent build step, leading to remote code execution (RCE).
This vulnerability is an incomplete fix for a previous path traversal issue (SECURITY‑3672 / CVE‑2026‑42520). The earlier patch added sanitization for the credential file name, but the sanitization logic was insufficient – it allowed some traversal sequences to slip through. The new advisory (SECURITY‑3790) addresses the bypass.
The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, giving a High severity base score of 7.5. The attack requires a low‑privileged user to have the necessary permissions to create the credentials, and the built‑in node must be used. No public exploit is known at the time of disclosure.

DailyCVE Form:

Platform: `Jenkins`
Version: `≤720.v3f6decef43ea_`
Vulnerability: `Path Traversal`
Severity: `High`
Date: `2026-05-27`

Prediction: `2026-05-27`

What Undercode Say:

Check current version of Credentials Binding Plugin
curl -s "http://<jenkins-url>/pluginManager/api/json?depth=1" | jq '.plugins[] | select(.shortName=="credentials-binding") | .version'
Test for the vulnerability (requires ability to provide a credential to a job)
Create a file credential with a malicious name containing a path traversal sequence
e.g., use the Jenkins CLI or REST API to upload a credential with filename "../../secrets/keyfile"
After the job that uses the credential runs, check if the file was written outside the expected directory
ls -la /path/to/jenkins/workspace/../../secrets/
If the file appears in the parent directory, the system is vulnerable.

Exploit:

  1. Obtain a low‑privileged Jenkins account with `Overall/Read` and `Credentials/Create` permissions.
  2. Create a `file` credential whose file name includes `../` sequences (e.g., ../../../../tmp/evil.sh).
  3. Configure a job that uses that credential (e.g., via a `withCredentials` block) and runs on the built‑in node.
  4. The plugin writes the credential content to the path specified by the traversal, placing `evil.sh` in /tmp/.
  5. The attacker includes a build step that executes the written file (e.g., sh '/tmp/evil.sh'), achieving RCE.

Protection:

  • Update immediately to Credentials Binding Plugin version 725.ve52b_2328a_fde or later.
  • If updating is not possible, disable the use of `file` and `zip file` credentials on the built‑in node for low‑privileged users.
  • Restrict `Credentials/Create` permission to only trusted users.
  • Run jobs on dedicated agents (not the built‑in node) when possible.

Impact:

  • Remote Code Execution on the Jenkins controller if the built‑in node is used.
  • Arbitrary file write on the node filesystem (complete system compromise).
  • Privilege escalation from a low‑privileged user to the Jenkins process user.
  • Data exfiltration / integrity loss by overwriting sensitive files.
  • Lateral movement to other systems reachable from the compromised node.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top