ATTACKERS have begun exploiting a critical remote code execution flaw in Jenkins, tracked as CVE-2026-53435, to run arbitrary commands on controllers within hours of its public disclosure (Jenkins advisory). The vulnerability resides in the way Jenkins processes config.xml files, allowing unauthenticated attackers to inject malicious payloads that lead to full system compromise. Security researchers at Defused observed active exploitation attempts starting on 11 June 2026, shortly after the advisory was published. The flaw affects all Jenkins versions 2.567 and earlier, as well as LTS releases 2.555.2 and prior. Administrators are urged to review their exposure and apply the patch released by the Jenkins project immediately.
CVE-2026-53435 has been assigned a CVSS v3 score of 8.8, reflecting its high impact and low attack complexity when the controller is exposed to untrusted networks. The root cause is a deserialization issue in the Jenkins core that processes uploaded config.xml files without proper validation of the supplied data. By crafting a config.xml that contains malicious serialized objects, an attacker can trigger remote code execution when Jenkins attempts to deserialize the file during configuration loading. This method does not require any valid user credentials if the Jenkins web interface is accessible from the attacker's network. The securityonline.info report notes that exploitation has been seen in the wild, with attackers leveraging the flaw to install backdoors and exfiltrate build artifacts (securityonline.info).
In addition to the critical RCE, the same advisory disclosed several medium‑severity issues that affect Jenkins usability and data protection. CVE-2026-53436 and CVE-2026-53437 are open redirect vulnerabilities that could be used in phishing campaigns to steal credentials. CVE-2026-53441 is a stored cross‑site scripting flaw that permits script injection into user sessions, potentially leading to account takeover.
CVE-2026-53438 and CVE-2026-53439 involve insufficient permission checks on queue operations, allowing unauthorized users to view or modify build queues. While these flaws are less severe, they expand the attack surface and highlight the need for a thorough review of the Jenkins installation, prompting administrators to assess all recent changes.
Defused telemetry indicates that the RCE flaw has been exploited in multiple campaigns since early June, with victims spanning sectors such as technology, finance and manufacturing. No specific threat actor group has been publicly attributed to these attacks, suggesting that the vulnerability is being used by opportunistic actors scanning for exposed Jenkins instances. The rapid emergence of exploits highlights the danger posed by unpatched deserialization bugs in widely deployed automation platforms.
Organizations that rely on Jenkins for continuous integration and delivery face the risk of supply chain compromise if build servers are subverted. Given the prevalence of Jenkins in DevOps pipelines, the incident serves as a reminder to prioritize patch management and network segmentation for critical infrastructure.
Administrators should immediately upgrade Jenkins to the latest version, which includes the fix for CVE-2026-53435 and addresses the other issues outlined in the advisory. The Jenkins project provides updated war files and installation packages for all affected branches, and the upgrade process is documented on the official website.
If an immediate upgrade is not feasible, access to the Jenkins controller should be restricted to trusted IP addresses using firewalls or VPNs, and the script console should be disabled. Additionally, reviewing Jenkins logs for unusual deserialize errors or unexpected process spawns can help identify compromise attempts. Finally, enforcing the principle of least privilege for Jenkins jobs and regularly updating plugins reduces the likelihood of successful exploitation even if a vulnerability remains unpatched.