CVE-2026-48921
HighSummary
The Groovy Libraries Plugin in Jenkins Pipeline version 797.v90ea_a_9b_e45a_0 and earlier does not prohibit the use of symbolic links in shared libraries. This allows attackers who can control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.
Risk Assessment
Attackers may gain access to sensitive data on the Jenkins server, potentially leading to serious security breaches and loss of information confidentiality.
Recommendation
It is recommended to update the Groovy Libraries Plugin to the latest version that prohibits the use of symbolic links in shared libraries to minimize the risk of unauthorized file access.
Original NVD description (English source)
Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.

