High severity7.5NVD Advisory· Published Apr 29, 2026· Updated May 6, 2026

CVE-2026-42520

Description

Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:credentials-bindingMaven	< 720.v3f6decef43ea	720.v3f6decef43ea

Affected products

Jenkinsci/Credentials Binding Plugininferred
Range: <=719.v80e905ef14eb_
Jenkins/Credentials Binding
cpe:2.3:a:jenkins:credentials_binding:*:*:*:*:*:jenkins:*:*
Range: <=719.v80e905ef14eb

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-p2rf-wpxj-mx2gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-42520ghsaADVISORY
www.jenkins.io/security/advisory/2026-04-29/nvdVendor AdvisoryWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000