Skip to content
Verified Jenkins CLI arbitrary file read via @ argument expansion
REPRO-2026-00200 jenkins · generic Jul 2, 2026 .txt
Severity CRITICAL
Confidence HIGH
Reproduced in 21m 31s
Tool calls 73
Spend $1.64
Affected weekly <= 2.441; LTS <= 2.426.2
Fixed in 2.442; 2.426.3; 2.440.1
$ pruva-verify REPRO-2026-00200
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00200/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

Jenkins core CLI uses args4j’s expandAtFiles feature to replace arguments prefixed with @ with file contents. In Jenkins 2.441 and earlier (weekly) and 2.426.2 and earlier (LTS), this feature is enabled by default, allowing unauthenticated attackers to read the first few lines of arbitrary files and users with Overall/Read permission to read entire files. Leaked secrets can enable further compromise, including RCE.

03 · Root cause
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.