CVE-2026-33002 is a security vulnerability affecting Jenkins versions 2.442 through 2.554 and LTS versions 2.426.3 through 2.541.2. The vulnerability stems from improper origin validation on the Jenkins CLI WebSocket endpoint. Jenkins attempts to verify the origin of incoming requests by computing the expected origin based on the Host or X-Forwarded-Host HTTP headers. However, these headers can be manipulated through DNS rebinding attacks, where an attacker controls a malicious domain that resolves to the Jenkins server's IP address after initial DNS resolution. This manipulation allows the attacker to bypass origin checks and send unauthorized requests to the Jenkins server via the WebSocket CLI interface. Since the CLI endpoint can execute commands, this bypass could lead to unauthorized command execution or access to sensitive build and deployment processes. The vulnerability does not require user interaction and can be exploited remotely if the attacker can induce a victim to visit a malicious website or otherwise trigger the DNS rebinding. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to Jenkins' critical role in software development pipelines. The lack of a CVSS score suggests this is a newly published issue, but the technical details indicate a high severity risk. Mitigation involves patching Jenkins to versions beyond 2.554 or LTS 2.541.2 once available, restricting access to the CLI WebSocket endpoint via network controls, and implementing DNS rebinding protections at the network or browser level.

The impact of CVE-2026-33002 is potentially severe for organizations relying on Jenkins for continuous integration and deployment. Successful exploitation could allow attackers to bypass origin validation and gain unauthorized access to the Jenkins CLI WebSocket endpoint, which may enable execution of arbitrary commands or manipulation of build and deployment processes. This could lead to compromise of the software supply chain, insertion of malicious code, disruption of development workflows, and exposure of sensitive credentials or proprietary source code. Given Jenkins' widespread adoption across industries including technology, finance, healthcare, and government, the vulnerability could affect a broad range of organizations globally. The attack does not require authentication or user interaction beyond inducing DNS rebinding, increasing the risk of remote exploitation. If exploited, attackers could undermine the integrity and availability of critical software infrastructure, potentially causing operational downtime and reputational damage. The absence of known exploits in the wild currently limits immediate risk, but the vulnerability should be treated as a high priority due to the ease of exploitation and the critical nature of Jenkins in software development environments.

1. Apply patches or upgrade Jenkins to versions later than 2.554 or LTS versions later than 2.541.2 as soon as they become available from the Jenkins Project. 2. Restrict network access to the Jenkins CLI WebSocket endpoint by limiting it to trusted IP addresses or internal networks only, using firewalls or reverse proxies. 3. Disable the CLI WebSocket endpoint if it is not required for your environment to reduce the attack surface. 4. Implement DNS rebinding protections at the network level, such as configuring DNS servers or firewalls to block suspicious DNS responses or using browser security features that mitigate DNS rebinding. 5. Monitor Jenkins logs for unusual WebSocket connection attempts or origin header anomalies that may indicate exploitation attempts. 6. Educate developers and administrators about the risks of DNS rebinding and encourage safe browsing practices to avoid visiting untrusted domains that could trigger attacks. 7. Use web application firewalls (WAFs) with rules to detect and block suspicious WebSocket traffic or origin header manipulations. 8. Regularly audit Jenkins configurations and network architecture to ensure adherence to security best practices and minimize exposure of critical endpoints.