CVE-2026-57301: Vulnerability in Jenkins Project Jenkins OWASP ZAP Plugin
Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller.
AI Analysis
Technical Summary
The Jenkins OWASP ZAP Plugin up to version 1.0.7 performs build operations on the Jenkins controller rather than delegating them to the assigned agent. This misconfiguration permits attackers who have Item/Configure permissions to execute arbitrary code on the Jenkins controller, elevating their control and potentially compromising the Jenkins environment. The vulnerability affects all plugin versions prior to 1.0.8. No official remediation or patch information is currently provided.
Potential Impact
An attacker with Item/Configure permissions can execute arbitrary code on the Jenkins controller, which may lead to full compromise of the Jenkins server, unauthorized access, and control over build processes. This elevates the risk of persistent malicious activity within the Jenkins environment.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Item/Configure permissions to trusted users only to reduce the risk of exploitation.
CVE-2026-57301: Vulnerability in Jenkins Project Jenkins OWASP ZAP Plugin
Description
Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller.
CVSS v3.1
Score 8.8high
Affected software
pkg:github/jenkinsci/owasp-zap-pluginRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Jenkins OWASP ZAP Plugin up to version 1.0.7 performs build operations on the Jenkins controller rather than delegating them to the assigned agent. This misconfiguration permits attackers who have Item/Configure permissions to execute arbitrary code on the Jenkins controller, elevating their control and potentially compromising the Jenkins environment. The vulnerability affects all plugin versions prior to 1.0.8. No official remediation or patch information is currently provided.
Potential Impact
An attacker with Item/Configure permissions can execute arbitrary code on the Jenkins controller, which may lead to full compromise of the Jenkins server, unauthorized access, and control over build processes. This elevates the risk of persistent malicious activity within the Jenkins environment.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Item/Configure permissions to trusted users only to reduce the risk of exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- jenkins
- Date Reserved
- 2026-06-24T08:41:44.359Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3be196eed863c81eeb991d
Added to database: 06/24/2026, 13:54:30 UTC
Last enriched: 06/24/2026, 14:10:34 UTC
Last updated: 06/24/2026, 19:05:15 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.