SB2026062227 - Multiple vulnerabilities in Jenkins and Jenkins LTS



SB2026062227 - Multiple vulnerabilities in Jenkins and Jenkins LTS

Published: June 22, 2026

Security Bulletin ID SB2026062227
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 88% Low 13%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 vulnerabilities.


1) Open redirect (CVE-ID: CVE-2026-53440)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to the affected application does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.


2) Deserialization of Untrusted Data (CVE-ID: CVE-2026-53435)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote user can pass specially crafted data to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Open redirect (CVE-ID: CVE-2026-53436)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to the affected application improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`). A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.


4) Open redirect (CVE-ID: CVE-2026-53437)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to the affected application improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between "//". A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.


5) Missing Authorization (CVE-ID: CVE-2026-53438)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to improper authorization checks. A remote user can cancel queue items they do not have permission to view.


6) Missing Authorization (CVE-ID: CVE-2026-53439)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to improper authorization checks. A remote user can determine other users' configured timezone and enumerate view names of other users' "My Views".


7) Stored cross-site scripting (CVE-ID: CVE-2026-53441)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in node offline cause description. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


8) Missing Encryption of Sensitive Data (CVE-ID: CVE-2026-53442)

CWE-ID: CWE-311 - Missing Encryption of Sensitive Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected application does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files. A remote attacker can gain access to sensitive information on the system.


Remediation

Install update from vendor's website.