VYPR
Vypr IntelligenceAI-generatedMay 31, 2026· 13 CVEs

Jenkins Security Advisory: 13 CVEs Across 11 Plugins Disclosed May 2026

Jenkins released a security advisory on May 27, 2026, disclosing 13 vulnerabilities across 11 plugins, including two High-severity flaws that could lead to remote code execution and arbitrary file reads.

Key findings

  • 13 CVEs disclosed across 11 Jenkins plugins in a single May 27, 2026 advisory
  • CVE-2026-48922 in Credentials Binding Plugin can lead to RCE via arbitrary file writes
  • CVE-2026-48920 in Email Extension Plugin allows reading arbitrary files via file: URLs in email images
  • Four LDAP-related CVEs (Active Directory & LDAP plugins) involve unsafe referral following and deserialization
  • CVE-2026-48927 in buildgraph-view Plugin enables stored XSS via unescaped build URLs
  • CVE-2026-48924 in Bitbucket OAuth Plugin allows phishing via unrestricted redirect URLs

The Jenkins Project published a security advisory on May 27, 2026 disclosing 13 vulnerabilities across 11 plugins. The batch includes two High-severity CVEs — one in the Credentials Binding Plugin and one in the Email Extension Plugin — alongside a cluster of Medium-severity issues spanning LDAP handling, cross-site request forgery, stored XSS, and missing permission checks. Several of the flaws share common root causes, such as unsafe deserialization from LDAP referrals and improper validation of file paths and URLs.

High-severity flaws: RCE and arbitrary file read

The most severe vulnerability in the batch is CVE-2026-48922 (CVSS 7.5, High) in the Credentials Binding Plugin (versions 720.v3f6decef43ea and earlier). The plugin fails to properly sanitize file names for file and zip file credentials, allowing attackers who can provide credentials to a job to write files to arbitrary locations on the node filesystem. If Jenkins is configured in a certain way, this can lead to remote code execution.

CVE-2026-48921 (CVSS 7.5, High) affects the Pipeline: Groovy Libraries Plugin (versions 797.v90ea_a_9b_e45a_0 and earlier). The plugin does not prohibit symbolic links in shared libraries, enabling attackers who control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.

CVE-2026-48920 (CVSS 8.8, High) is in the Email Extension Plugin (versions 1933.v45cec755423f and earlier). The plugin allows inlining images as base64 in email content by setting the data-inline attribute, without restrictions on the image URLs that can be inlined. Attackers able to control email content can specify file: URLs for images to read arbitrary files from the Jenkins controller.

LDAP referral handling: four related CVEs

A cluster of four Medium-severity CVEs (all CVSS 6.6) targets the Active Directory Plugin and the LDAP Plugin, both of which follow LDAP referrals by default and deserialize data from those referrals without validation.

  • CVE-2026-48918 and CVE-2026-48919 affect the Active Directory Plugin (versions 2.41 and earlier). The plugin follows LDAP referrals by default (CVE-2026-48918) and deserializes data from those referrals without validation (CVE-2026-48919).
  • CVE-2026-48916 and CVE-2026-48917 affect the LDAP Plugin (versions 807.v7d7de30930cf and earlier) with the same pattern — following referrals by default (CVE-2026-48916) and deserializing attacker-controlled data from them (CVE-2026-48917).

The advisory notes that LDAP referrals can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, potentially enabling server-side request forgery (SSRF) and deserialization attacks.

Cross-site request forgery and missing permission checks

Three CSRF vulnerabilities were disclosed:

  • CVE-2026-9674 (CVSS 4.3) in the Multijob Plugin (versions 662.vd2e0001f6b_b_d and earlier) allows attackers to resume failed Multijob builds via CSRF.
  • CVE-2026-48925 (CVSS 4.3) in the GitHub Integration Plugin (versions 0.7.3 and earlier) allows attackers to trigger a build for a pull request via CSRF.

Two plugins were found to have missing permission checks:

  • CVE-2026-48926 (CVSS 4.3) in the Job Import Plugin (versions 143.v044a_2e819b_27 and earlier) allows attackers with Overall/Read permission to enumerate credentials IDs via an unprotected HTTP endpoint.
  • CVE-2026-48923 (CVSS 4.3) in the AppSpider Plugin (versions 1.0.17 and earlier) allows attackers with Overall/Read permission to connect to an attacker-specified URL via an unprotected form validation method.

Stored XSS and open redirect

CVE-2026-48927 (CVSS 5.5) in the buildgraph-view Plugin (versions 1.8 and earlier) does not escape the build URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or views.

CVE-2026-48924 (CVSS 4.3) in the Bitbucket OAuth Plugin (versions 0.17 and earlier) does not restrict the redirect URL after login, allowing attackers to perform phishing attacks via an open redirect.

Patch status and response

The Jenkins Project has released updated versions of all affected plugins. Users are advised to update to the latest versions of each plugin as specified in the Jenkins Security Advisory 2026-05-27. For plugins where no fix is yet available, the advisory recommends disabling the plugin or restricting permissions to mitigate risk.

Why this batch matters

This disclosure is notable for its breadth — 13 CVEs across 11 different plugins in a single advisory — and for the severity of the Credentials Binding Plugin flaw, which can lead to remote code execution. The LDAP referral issues are particularly concerning for organizations using Active Directory or LDAP authentication with Jenkins, as they combine two dangerous behaviors (following referrals by default and deserializing without validation) that could be chained by an attacker who compromises or controls the LDAP server.

AI-written article. Grounded in 13 CVE records listed below.