CVE-2026-48922
HighSummary
Jenkins Credentials Binding Plugin version 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers to write files to arbitrary locations on the node filesystem.
Risk Assessment
This can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for jobs running on the built-in node.
Recommendation
It is recommended to update the plugin to the latest version and to restrict the permissions of users who can configure file and zip file credentials.
Original NVD description (English source)
Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.

