JustAppSec
Back to news

Jenkins Credentials Binding path traversal write primitive reaches RCE

2 min readPublished 29 Apr 2026Source: CloudBees Security Advisories
CVE-2026-42520NewsCI/CDJenkins

TL;DR - credentials-binding <= 719.v80e905ef14eb_ does not sanitise filenames for file and zip file credentials. An attacker who can influence the credential filename can write files to arbitrary paths on the node filesystem. If those jobs run on the built-in node, the write primitive turns into RCE.

What happened

credentials-binding is the Jenkins plugin that injects secrets into build steps - including "file" and "zip file" credential types that land on disk during a build.

CVE-2026-42520 (High), disclosed 2026-04-29: the plugin does not sanitise filenames for these credential types. Control the filename, control where the file lands. That is a path traversal write to an attacker-chosen path on the node filesystem.

The escalation path is the part worth paying attention to. If a low-privileged user can configure file or zip file credentials for a job that runs on the controller's built-in node, the write primitive reaches RCE. That is not a theoretical edge case - it is a direct consequence of the built-in node running in the same JVM as the Jenkins controller process.

This is a recurring CI/CD failure mode. Credential materialisation code runs close to the filesystem, on nodes where a well-placed file write can hijack a process, poison a config, or plant a hook. The blast radius is never "just the web UI".

Who is impacted

  • Jenkins controllers and CloudBees CI instances where untrusted or low-privileged users can configure or influence credentials consumed by builds.
  • Any instance running Credentials Binding Plugin 719.v80e905ef14eb_ or earlier.
  • Highest risk: deployments where affected jobs run on the built-in node, or on any node where a file write reaches a high-value target path.

What to do now

  • Upgrade credentials-binding immediately. The fix is in 720.v3f6decef43ea_:

    "Credentials Binding Plugin 720.v3f6decef43ea_ sanitizes the file name provided for file and zip file credentials, preventing path traversal."

  • If you run CloudBees CI, apply the platform upgrade from the same advisory:

    "CloudBees Traditional Platforms should be upgraded to 2.555.1.36488" "CloudBees Cloud Platforms should be upgraded to 2.555.1.36488"

  • Audit your authorisation boundaries around credential management:
    • Who can create or modify file and zip credentials?
    • Which jobs consume them?
    • Can those jobs run on the built-in node?
  • Hunt for signs of exploitation:
    • Unexpected file writes on build nodes in paths that Jenkins credential materialisation should never touch.
    • Anomalous credential changes correlated with new or unusual build executions.

Related

Research

Training

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.