A critical deserialization vulnerability in Jenkins (CVE-2026-53435) allows an unauthenticated attacker to submit a malicious configuration file, impersonate any user, and achieve full remote code execution on the Jenkins controller. All Jenkins versions through 2.567 and LTS versions through 2.555.2 are affected. This vulnerability is listed on CISA’s Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild, and places CI/CD pipelines, source code repositories, and downstream production systems at immediate risk.