HIGHVulnerability
Verified
Global
Jenkins Security Advisory Patches Critical RCE in Pipeline Plugin
Tuesday, March 3, 2026 at 09:00 AM UTC·Source: Jenkins Security Advisory
Updated: Wednesday, March 4, 2026 at 11:00 AM UTC
Executive Summary
Critical deserialization vulnerability in Jenkins Pipeline plugin allows unauthenticated RCE. 150,000+ Jenkins instances exposed.
Analysis
CVE-2026-4321 is a Java deserialization vulnerability in the Jenkins Pipeline: Groovy plugin allowing unauthenticated attackers to execute arbitrary code on Jenkins controllers. Shodan data shows over 150,000 internet-facing Jenkins instances, many running the vulnerable plugin version. Active exploitation detected within 72 hours of advisory publication.
Timeline
Discovered
Feb 25, 2026
Exploitation Detected
Mar 2, 2026
Published
Mar 3, 2026
Patch Available
Mar 3, 2026