CVE-2026-48916

Vulnerability

Jenkins LDAP Plugin versions 807.v7d7de30930cf and earlier follow LDAP referrals from the configured LDAP server. The plugin does not validate or restrict the referral URLs, which can include RMI URLs pointing to attacker-controlled servers. This behavior occurs whenever the plugin connects to an LDAP server that returns a referral response.

Exploitation

An attacker must be able to control the LDAP server that Jenkins is configured to use, or must be able to perform a machine-in-the-middle attack to modify LDAP responses. When the Jenkins controller follows a referral to an RMI URL, it deserializes data from that RMI endpoint. If deserialization gadgets are available on the Jenkins controller's classpath, arbitrary code execution becomes possible.

Impact

Successful exploitation results in remote code execution (RCE) on the Jenkins controller. An attacker can execute arbitrary commands or code, gaining full control of the Jenkins instance and potentially accessing sensitive data, credentials, and connected systems [1].

Mitigation

LDAP Plugin version 807.809.vd3a_4e5e4ec98 no longer follows LDAP referrals. Users should upgrade to this version or later. As of the advisory date (2026-05-27), no workaround is described for this plugin; administrators unable to update must ensure the LDAP server is trusted and network traffic is protected against machine-in-the-middle attacks [1].