CVE-2025-59474
Description
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission, allowing attackers without Overall/Read permission to list agent names through its sidepanel executors widget.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins fails to check permissions in its sidepanel, allowing users lacking Overall/Read to list agent names via the executors widget.
Overview
CVE-2025-59474 is a missing permission check vulnerability in Jenkins core, affecting versions 2.527 and earlier, as well as LTS 2.516.2 and earlier. The issue resides in the sidepanel of a page that is intentionally accessible to users without the Overall/Read permission. Specifically, the sidepanel's executors widget fails to enforce any permission check, allowing an attacker to list agent names [1][2].
Exploitation
An attacker with no authentication or minimal privileges (lacking Overall/Read) can access the vulnerable page and view the sidepanel. By interacting with the executors widget, they can enumerate the names of agents configured on the Jenkins instance. No additional privileges or special access is required for this information disclosure [2][3].
Impact
The primary impact is information disclosure: an attacker can learn the names of agents, which may aid in reconnaissance for further attacks. While agent names alone are not highly sensitive, they can reveal infrastructure details or be used to identify target systems for subsequent exploitation. The CVSS severity is rated Medium [1][2].
Mitigation
The vulnerability has been addressed in Jenkins versions 2.528 and LTS 2.516.3, which remove the sidepanel from the affected view. Users are strongly advised to upgrade to these or later releases. No workaround is provided for users unable to upgrade [2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | < 2.516.3 | 2.516.3 |
org.jenkins-ci.main:jenkins-coreMaven | >= 2.517, < 2.528 | 2.528 |
Affected products
2- Range: <=2.527 (core) / <=2.516.2 (LTS)
- Jenkins Project/Jenkinsv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-67v4-38h7-9jjpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59474ghsaADVISORY
- www.jenkins.io/security/advisory/2025-09-17/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2025/09/17/1ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-09-17Jenkins Security Advisories · Sep 17, 2025