Open redirect in Jenkins and Jenkins LTS - CVE-2026-53437
Published: June 22, 2026
Jenkins
Jenkins LTS
Detailed vulnerability description
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to the affected application improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between "//". A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.