Jenkins Patches High-Severity Plugin Flaws, Including Path Traversal
Key Takeaways Jenkins has released critical security patches for seven vulnerabilities across multiple plugins. High-severity flaws include a path traversal vulnerability (CVE-2026-42520) in the...
Key Takeaways
- Jenkins has released critical security patches for seven vulnerabilities across multiple plugins.
- High-severity flaws include a path traversal vulnerability (CVE-2026-42520) in the Credentials Binding Plugin and Stored Cross-Site Scripting (XSS) issues (CVE-2026-42523, CVE-2026-42524) in the GitHub and HTML Publisher Plugins.
- These vulnerabilities pose risks ranging from remote code execution and session hijacking to credential harvesting.
- Immediate updates to affected plugins are strongly advised for all Jenkins administrators to secure CI/CD pipelines.
The Jenkins project has issued a security advisory detailing urgent patches for seven vulnerabilities impacting several of its plugins. These security defects include high-severity path traversal and Stored Cross-Site Scripting (XSS) flaws, underscoring the critical need for administrators to update their Continuous Integration and Continuous Deployment (CI/CD) environments promptly.
Table Of Content
Failure to apply these patches could expose Jenkins pipelines to significant risks, including potential remote code execution and session hijacking by malicious actors.
High-Severity Vulnerabilities Demand Immediate Attention
The most pressing concern is a path traversal vulnerability, identified as CVE-2026-42520, found within the Credentials Binding Plugin. This flaw affects versions 719.v80e905ef14eb_ and earlier, where the plugin inadequately sanitizes file and zip file credentials. In scenarios where a Jenkins setup permits a low-privileged user to configure such credentials for a job executing on a built-in node, attackers could exploit this weakness.
Exploitation of CVE-2026-42520 allows threat actors to write arbitrary malicious files to any location on the underlying node’s filesystem. This capability could lead to the establishment of persistent access or, critically, remote code execution on the compromised system.
Beyond the path traversal issue, two high-severity Stored XSS vulnerabilities have been identified, threatening the integrity of Jenkins interfaces:
- CVE-2026-42523: This vulnerability impacts the GitHub Plugin, specifically versions 1.46.0 and earlier. The plugin’s validation process for the “GitHub hook trigger for GITScm polling” mechanism improperly handles the current job URL. This oversight enables non-anonymous attackers with minimal Overall/Read permissions to inject malicious JavaScript into the application, potentially leading to session hijacking or data exfiltration.
- CVE-2026-42524: Affecting the HTML Publisher Plugin in versions 427 and earlier, this flaw stems from the plugin’s failure to properly escape job names and URLs within its legacy wrapper file. Attackers possessing Item/Configure permissions can leverage this vulnerability to execute devastating XSS attacks, targeting administrators who view the generated reports.
Medium-Severity Vulnerabilities Also Patched
The advisory also highlights four medium-severity vulnerabilities that require prompt remediation:
- CVE-2026-42519: The Script Security Plugin was found to lack proper permission checks for its HTTP endpoints. This allows users with basic Overall/Read access to enumerate pending and approved classpaths without authorization.
- CVE-2026-42521: The Matrix Authorization Strategy Plugin is susceptible to unsafe deserialization when processing inheritance strategies. This flaw could enable attackers to instantiate arbitrary types, potentially leading to further compromise.
- CVE-2026-42522: The GitHub Branch Source Plugin permits unauthorized connection tests using credentials specified by an attacker, which could be abused for reconnaissance or credential verification.
- CVE-2026-42525: An open redirect vulnerability exists in the Microsoft Entra ID Plugin. This could be exploited in phishing campaigns to harvest credentials by redirecting users to malicious sites.
All identified flaws were proactively reported through the Jenkins Bug Bounty Program, an initiative sponsored by the European Commission.
As detailed in the Jenkins Project security advisory, development teams are urged to apply the latest patches immediately to fortify their infrastructure. For additional defense against XSS exploitation while patches are being deployed, enforcing Content Security Policy (CSP) protection on Jenkins LTS 2.541.1 and newer versions is recommended.
What You Should Do
- Update Plugins Immediately: Prioritize updating all affected Jenkins plugins to their latest versions as outlined in the security advisory.
- Review Permissions: Audit and restrict permissions for low-privileged users, especially concerning the configuration of credentials and job items.
- Implement CSP: For Jenkins LTS 2.541.1 and newer, enforce Content Security Policy (CSP) protection as an additional layer against XSS vulnerabilities.
- Monitor Logs: Regularly monitor Jenkins access logs and system logs for unusual activity, especially related to file system writes or unauthorized access attempts.
- Stay Informed: Subscribe to Jenkins security advisories to remain aware of ongoing threats and recommended mitigation strategies.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.