Jenkins Core: Eight Vulnerabilities Disclosed Together on June 10, 2026
Eight security vulnerabilities affecting Jenkins core were disclosed on June 10, 2026, ranging from critical deserialization flaws to information disclosure and phishing risks.
Key findings
- Eight vulnerabilities in Jenkins core disclosed simultaneously on June 10, 2026.
- Critical deserialization flaw (CVE-2026-53435) allows arbitrary type deserialization.
- Secrets from POST config.xml submissions were stored unencrypted (CVE-2026-53442).
- Stored XSS vulnerability (CVE-2026-53441) affects user-provided descriptions.
- Multiple vulnerabilities (CVE-2026-53440, CVE-2026-53437) enable phishing attacks via manipulated redirect URLs.
- Affected versions are Jenkins 2.567 and earlier, LTS 2.555.2 and earlier.
On June 10, 2026, the Jenkins Project disclosed a batch of eight security vulnerabilities impacting its core platform. These vulnerabilities, all disclosed simultaneously, span a range of severity and impact, including critical deserialization flaws, cross-site scripting (XSS), information disclosure, and phishing risks. The disclosures highlight ongoing security challenges in managing secrets and user input within the widely used automation server.
A critical deserialization vulnerability, CVE-2026-53435, allows attackers to submit a crafted config.xml file, leading to the deserialization of arbitrary types. This can enable attackers to handle HTTP requests subsequently, potentially impersonating any user. This vulnerability leverages the serialization and deserialization mechanisms Jenkins uses for various functions, including agent communication and configuration saving, protected by a custom deserialization filter (JEP-200) that was bypassed in this instance.
Several vulnerabilities focus on the handling of sensitive information and user input. CVE-2026-53442, for instance, fails to encrypt secrets submitted via POST config.xml before storing them unencrypted in job configurations. This allows users with Item/Extended Read permission or direct access to the Jenkins controller file system to view these secrets. Additionally, CVE-2026-53441, a stored XSS vulnerability, arises from Jenkins not properly escaping user-provided descriptions of offline causes submitted through the POST config.xml API, making it exploitable by users with Agent/Configure permission.
Phishing attacks are facilitated by multiple vulnerabilities related to redirect URLs after login. CVE-2026-53440 and CVE-2026-53437 allow attackers to craft redirect URLs containing tab or newline characters between //, or relative path segments (./ or ../), respectively. These malformed URLs are improperly validated by Jenkins, enabling redirection to attacker-controlled domains. This could lead users to fake login pages, compromising their credentials.
Information disclosure and unauthorized actions are also addressed. CVE-2026-53439, stemming from missing permission checks, allows users with Overall/Read permission to enumerate other users' configured timezones and view names from "My Views." Another permission-related issue, CVE-2026-53438, permits attackers with Item/Cancel permission but lacking Item/Read permission to cancel queue items they should not have access to.
All eight vulnerabilities affect Jenkins versions 2.567 and earlier, and LTS versions 2.555.2 and earlier. The Jenkins Project has released patched versions to address these issues. Users are strongly advised to update to the latest available versions to mitigate these risks. The Jenkins Security Advisory (https://www.jenkins.io/security/advisory/2026-06-10/) provides detailed information on each vulnerability and the affected versions.
This coordinated disclosure underscores the importance of keeping Jenkins instances updated, particularly given the critical nature of the deserialization flaw and the potential for credential theft through phishing. Users should review the security advisory and apply patches promptly to protect their CI/CD pipelines and sensitive data.