{"id":"CVE-2026-33002","details":"Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable to DNS rebinding attacks that allow bypassing origin validation.","aliases":["BIT-jenkins-2026-33002","GHSA-phhv-63fh-rrc8"],"modified":"2026-04-16T02:14:29.194604040Z","published":"2026-03-18T16:16:28.187Z","references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3674"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/jenkins","events":[{"introduced":"9ed5f66f62ac5b116357d2f58cb37ca3161c5b60"},{"fixed":"4d8ef2fcf426ba73554572e4a60d4ac937ac5f43"},{"introduced":"10b1b883319ff21bfe742bd0abe225dd12f10c2b"},{"fixed":"bbcc9146ec13f17c4f638461d69df4e509ae0c2d"}],"database_specific":{"versions":[{"introduced":"2.426.3"},{"fixed":"2.541.3"},{"introduced":"2.442"},{"fixed":"2.555"}]}}],"versions":["jenkins-2.442","jenkins-2.443","jenkins-2.444","jenkins-2.445","jenkins-2.446","jenkins-2.447","jenkins-2.448","jenkins-2.449","jenkins-2.450","jenkins-2.451","jenkins-2.452","jenkins-2.453","jenkins-2.454","jenkins-2.455","jenkins-2.456","jenkins-2.457","jenkins-2.458","jenkins-2.459","jenkins-2.460","jenkins-2.461","jenkins-2.462","jenkins-2.463","jenkins-2.464","jenkins-2.465","jenkins-2.466","jenkins-2.467","jenkins-2.468","jenkins-2.469","jenkins-2.470","jenkins-2.471","jenkins-2.472","jenkins-2.473","jenkins-2.474","jenkins-2.475","jenkins-2.476","jenkins-2.477","jenkins-2.478","jenkins-2.479","jenkins-2.480","jenkins-2.481","jenkins-2.482","jenkins-2.483","jenkins-2.484","jenkins-2.485","jenkins-2.486","jenkins-2.487","jenkins-2.488","jenkins-2.489","jenkins-2.490","jenkins-2.491","jenkins-2.492","jenkins-2.493","jenkins-2.494","jenkins-2.495","jenkins-2.496","jenkins-2.497","jenkins-2.498","jenkins-2.499","jenkins-2.500","jenkins-2.501","jenkins-2.502","jenkins-2.503","jenkins-2.504","jenkins-2.505","jenkins-2.506","jenkins-2.507","jenkins-2.508","jenkins-2.509","jenkins-2.510","jenkins-2.511","jenkins-2.512","jenkins-2.513","jenkins-2.514","jenkins-2.515","jenkins-2.516","jenkins-2.517","jenkins-2.518","jenkins-2.519","jenkins-2.520","jenkins-2.521","jenkins-2.522","jenkins-2.523","jenkins-2.524","jenkins-2.525","jenkins-2.526","jenkins-2.527","jenkins-2.528","jenkins-2.529","jenkins-2.530","jenkins-2.531","jenkins-2.532","jenkins-2.533","jenkins-2.534","jenkins-2.535","jenkins-2.536","jenkins-2.537","jenkins-2.538","jenkins-2.539","jenkins-2.540","jenkins-2.541","jenkins-2.541.1","jenkins-2.541.1-rc","jenkins-2.541.2","jenkins-2.541.2-rc","jenkins-2.541.3-rc","jenkins-2.542","jenkins-2.543","jenkins-2.544","jenkins-2.545","jenkins-2.546","jenkins-2.547","jenkins-2.548","jenkins-2.549","jenkins-2.550","jenkins-2.551","jenkins-2.552","jenkins-2.553","jenkins-2.554"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33002.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}