Medium severity6.5NVD Advisory· Published Apr 29, 2026· Updated May 6, 2026

CVE-2026-42521

Description

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:matrix-authMaven	>= 2.0-beta-1, < 3.2.10	3.2.10

Affected products

Jenkins/Matrix Authorization Strategy4 versions
cpe:2.3:a:jenkins:matrix_authorization_strategy:2.0:beta1:*:*:*:jenkins:*:*+ 3 more
- cpe:2.3:a:jenkins:matrix_authorization_strategy:2.0:beta1:*:*:*:jenkins:*:*
- cpe:2.3:a:jenkins:matrix_authorization_strategy:2.0:beta2:*:*:*:jenkins:*:*
- cpe:2.3:a:jenkins:matrix_authorization_strategy:2.0:beta3:*:*:*:jenkins:*:*
- cpe:2.3:a:jenkins:matrix_authorization_strategy:*:*:*:*:*:jenkins:*:*range: >=2.1,<3.2.10

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-jp9r-mmhw-vff3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-42521ghsaADVISORY
www.jenkins.io/security/advisory/2026-04-29/nvdVendor AdvisoryWEB

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000