CVE-2026-57301
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller.
Risk Assessment
The risk involves potential takeover of the Jenkins controller by an attacker with only Item/Configure permissions, which could compromise the confidentiality, integrity, and availability of the system.
Recommendation
It is recommended to immediately update the OWASP ZAP plugin to a version newer than 1.0.7, or if no patch is available, temporarily disable the plugin or restrict Item/Configure permissions to trusted users only.
Original NVD description (English source)
Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller.

