Open redirect in Jenkins and Jenkins LTS - CVE-2026-53440

 

Open redirect in Jenkins and Jenkins LTS - CVE-2026-53440

Published: June 22, 2026


Vulnerability identifier: #VU134983
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2026-53440
CWE-ID: CWE-601
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Jenkins
Affected software:
Jenkins
Jenkins LTS

Detailed vulnerability description

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to the affected application does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.


How to mitigate CVE-2026-53440

Install updates from vendor's website.

Sources