CVE Catalog

CVE-2026-57282

MediumCVSS 5.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

Jenkins Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into a generated SSH wrapper script, allowing attackers able to control the name of a build's working directory to execute arbitrary operating system commands on the agent.

Risk Assessment

The risk involves potential remote code execution on the Jenkins agent by an attacker who can influence the build workspace directory name, which could lead to agent compromise and further attacks on the infrastructure.

Recommendation

It is recommended to immediately update the Git client plugin to version 6.7.0 or later. As a temporary workaround, restrict the ability to control workspace directory names by unauthorized users.

Original NVD description (English source)

Jenkins Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into a generated SSH wrapper script, allowing attackers able to control the name of a build's working directory to execute arbitrary operating system commands on the agent.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS