Missing Encryption of Sensitive Data in Jenkins and Jenkins LTS - CVE-2026-53442

 

Missing Encryption of Sensitive Data in Jenkins and Jenkins LTS - CVE-2026-53442

Published: June 22, 2026


Vulnerability identifier: #VU134994
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-53442
CWE-ID: CWE-311
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Jenkins
Affected software:
Jenkins
Jenkins LTS

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected application does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files. A remote attacker can gain access to sensitive information on the system.


How to mitigate CVE-2026-53442

Install updates from vendor's website.

Sources