Jenkins Security Advisory Patches Critical RCE in Pipeline Plugin

Tuesday, March 3, 2026 at 09:00 AM UTC·Source: Jenkins Security Advisory

Updated: Wednesday, March 4, 2026 at 11:00 AM UTC

Executive Summary

Critical deserialization vulnerability in Jenkins Pipeline plugin allows unauthenticated RCE. 150,000+ Jenkins instances exposed.

Analysis

CVE-2026-4321 is a Java deserialization vulnerability in the Jenkins Pipeline: Groovy plugin allowing unauthenticated attackers to execute arbitrary code on Jenkins controllers. Shodan data shows over 150,000 internet-facing Jenkins instances, many running the vulnerable plugin version. Active exploitation detected within 72 hours of advisory publication.

Timeline

Discovered

Feb 25, 2026

Exploitation Detected

Mar 2, 2026

Published

Mar 3, 2026

Patch Available

Mar 3, 2026

Indicators of Compromise (1)

CVE (1)

CVE-2026-4321

NVD MITRE CVE

Source Attribution

Originally published by Jenkins Security Advisory on Mar 3, 2026. Verified by: Jenkins Project, CISA.

Related Threats

MEDIUMVulnerabilityNEW

CaixaBank launches a carbon credit trading platform to help clients offset their emissions

CaixaBank CIB has launched a carbon credit trading platform, a tool designed to make it easier for corporate clients and businesses to voluntarily offset CO2 emissions.

23m agoFinextra

MEDIUMVulnerabilityNEW

Cyber Resilience is the New Business Continuity Plan

The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. The post Cyber Resilience is the New Business Continuity Plan appeared first on SecurityWeek .

43m agoSecurityWeek

MEDIUMVulnerabilityNEW

Microsoft confirms patching issues in restricted Windows networks

Microsoft says customers in restricted network environments may encounter Windows Update failures after installing the January 2026 optional non-security preview updates. [...]

51m agoBleepingComputer