The Jenkins project released a sweeping security advisory on April 29, 2026, disclosing seven vulnerabilities, including three rated High severity, across core plugins used in millions of CI/CD pipelines worldwide.
Organizations relying on Jenkins for automated build and deployment workflows must apply patches immediately to prevent remote code execution, stored XSS exploitation, and credential theft.
The Jenkins Security Advisory 2026-04-29 addresses vulnerabilities in seven widely deployed Jenkins plugins: Credentials Binding, GitHub, GitHub Branch Source, HTML Publisher, Matrix Authorization Strategy, Microsoft Entra ID (Azure AD), and Script Security.
All seven CVEs, ranging from CVE-2026-42519 through CVE-2026-42525, were responsibly disclosed through the Jenkins Bug Bounty Program sponsored by the European Commission.
This advisory follows a similarly critical March 2026 advisory that patched RCE flaws in Jenkins core itself, highlighting an accelerating pace of vulnerability disclosures for the platform.
CVE-2026-42520 – High-Severity Path Traversal in Credentials Binding Plugin (CVSS: High)
The most dangerous flaw in this batch is a path traversal vulnerability in the Credentials Binding Plugin (versions up to and including 719.v80e905ef14eb_).
The plugin fails to sanitize file names for file and zip file credentials, enabling any attacker who can supply credentials to a job to write files to arbitrary filesystem locations on the Jenkins node.
If a low-privileged user is permitted to configure file or zip file credentials for a job running on the built-in node, this vulnerability directly escalates to remote code execution (RCE). Administrators must immediately upgrade to version 720.v3f6decef43ea to remediate this issue.
CVE-2026-42523 & CVE-2026-42524 – Stored XSS in GitHub and HTML Publisher Plugins (CVSS: High)
Two separate stored cross-site scripting vulnerabilities compound the risk profile of this advisory. In the GitHub Plugin (versions up to 1.46.0).
Improper processing of the current job URL in JavaScript implementing “GitHub hook trigger for GitScm polling” allows attackers with just Overall/Read permission to inject and store malicious scripts, setting a remarkably low privilege bar for a High-severity XSS.
Similarly, the HTML Publisher Plugin (versions up to 427) does not escape job names and URLs in legacy wrapper files, enabling attackers with Item/Configure permission to plant persistent XSS payloads.
The fixes are GitHub Plugin 1.46.0.1 and HTML Publisher Plugin 427.1. For Jenkins 2.539+ or LTS 2.541.1+, enforcing Content Security Policy (CSP) provides an additional mitigation layer.
CVE-2026-42521 – Unsafe Deserialization in Matrix Authorization Strategy Plugin (CVSS: Medium)
The Matrix Authorization Strategy Plugin (versions 2.0-beta-1 through 3.2.9) contains an unsafe deserialization flaw that allows attackers with Item/Configure permission to invoke parameterless constructors of arbitrary Java classes specified in the configuration during deserialization of inheritance strategies.
Instantiating unrestricted class types from the classpath can lead to information disclosure or chained exploitation, depending on the available libraries. Version 3.2.10 resolves this by enforcing strict class-type verification, ensuring that only valid inheritance-strategy implementations can be instantiated.
CVE-2026-42519 & CVE-2026-42522 – Permission Check Bypasses in Script Security and GitHub Branch Source Plugins
Two medium-severity missing-permission-check vulnerabilities round out the advisory. The Script Security Plugin (up to version 1399.ve6a_66547f6e1) exposes an unauthenticated HTTP endpoint that allows any user with Overall/Read access to enumerate pending and approved Script Security classpaths, leaking sensitive operational configuration.
Separately, the GitHub Branch Source Plugin (up to 1967.vdea_d580c1a_b_a_) skips a permission check in form validation, letting attackers with Overall/Read access initiate connection tests against attacker-controlled URLs using arbitrary GitHub App credentials, a vector for credential harvesting and SSRF abuse.
Both flaws are fixed in Script Security Plugin 1402.v94c9ce464861 and GitHub Branch Source Plugin 1967.1969.v205fd594c821, respectively.
CVE-2026-42525 – Open Redirect in Microsoft Entra ID (Azure AD) Plugin
The Microsoft Entra ID Plugin (up to version 666.v6060de32f87d) does not validate or restrict the redirect URL following successful authentication.
According to Jenkins, threat actors can craft a phishing URL that routes through a legitimate Jenkins instance before silently forwarding authenticated users to a malicious external site, making the attack highly convincing to victims who trust the Jenkins domain. Version 667.v4c5827a_e74a_0 enforces redirect-only to relative, internal Jenkins URLs, neutralizing this vector.
| Plugin | Affected Version | Fixed Version | CVE | Severity |
|---|---|---|---|---|
| Credentials Binding | ≤ 719.v80e905ef14eb_ | 720.v3f6decef43ea_ | CVE-2026-42520 | High |
| GitHub Plugin | ≤ 1.46.0 | 1.46.0.1 | CVE-2026-42523 | High |
| HTML Publisher | ≤ 427 | 427.1 | CVE-2026-42524 | High |
| Matrix Auth Strategy | ≤ 3.2.9 | 3.2.10 | CVE-2026-42521 | Medium |
| GitHub Branch Source | ≤ 1967.vdea_d580c1a_b_a_ | 1967.1969.v205fd594c821 | CVE-2026-42522 | Medium |
| Script Security | ≤ 1399.ve6a_66547f6e1 | 1402.v94c9ce464861 | CVE-2026-42519 | Medium |
| Microsoft Entra ID | ≤ 666.v6060de32f87d | 667.v4c5827a_e74a_0 | CVE-2026-42525 | Medium |
Security teams should prioritize the following steps:
- Patch the Credentials Binding Plugin first; its path traversal flaw carries direct RCE potential on built-in nodes
- Update GitHub and HTML Publisher plugins to eliminate stored XSS vectors accessible to low-privileged users
- Enforce Content Security Policy on Jenkins 2.539+ as a defense-in-depth control against XSS exploitation
- Restrict Overall/Read access to trusted users only, as multiple vulnerabilities require only this low privilege
- Audit file and zip credential configurations on built-in nodes before patching to assess exposure
- Update Matrix Authorization Strategy Plugin to prevent unsafe deserialization chains
- Validate redirect configurations in Microsoft Entra ID Plugin post-upgrade to detect any residual open-redirect configurations
FAQ
Q1: Can CVE-2026-42520 lead to full server takeover?
Yes, if a low-privileged user can configure file credentials for jobs on the built-in node, the path traversal enables arbitrary file writes that directly translate to remote code execution.
Q2: What permission level is required to exploit the GitHub Plugin XSS (CVE-2026-42523)?
Only Overall/Read permission is required, making it exploitable by nearly any authenticated Jenkins user in a multi-user environment.
Q3: Does the HTML Publisher XSS fix apply retroactively to existing wrapper files?
In HTML Publisher Plugin 427.1, only job names and URLs are escaped in newly generated wrapper files; existing legacy wrappers remain vulnerable until regenerated.
Q4: How were these vulnerabilities discovered?
All seven CVEs were reported through the Jenkins Bug Bounty Program sponsored by the European Commission via the YesWeHack platform.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
