Executive Summary

A critical vulnerability (CVE-2026-57301) with a CVSS score of 8.8 has been discovered in the Jenkins OWASP ZAP Plugin, affecting versions 1.0.7 and earlier. This vulnerability allows attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller. Immediate action is required to update to a patched version.

Technical Analysis

This vulnerability is classified as CWE-610. The Jenkins OWASP ZAP Plugin performs build operations on the Jenkins controller rather than the assigned agent. This allows attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller. The attack vector is network-based (AV:N), with low attack complexity (AC:L) and low privileges required (PR:L).

How It Gets Exploited

An attacker with Item/Configure permission can exploit this vulnerability by configuring the build operation in a way that executes arbitrary code on the Jenkins controller. The attacker would need to send a crafted configuration to the Jenkins controller, which would then execute the malicious code. This could lead to a complete compromise of the Jenkins controller, allowing the attacker to execute arbitrary code, access sensitive data, and disrupt the build process.

Impact Assessment

The Jenkins OWASP ZAP Plugin versions 1.0.7 and earlier are affected. An attacker can achieve arbitrary code execution on the Jenkins controller, leading to a high impact on confidentiality, integrity, and availability. The CVSS score of 8.8 indicates a high severity vulnerability.

Recommended Actions

Update the Jenkins OWASP ZAP Plugin to version 1.0.8 or later. Ensure that only authorized users have Item/Configure permission. Monitor Jenkins controller logs for suspicious activity.

Sources