CVE-2026-48917

Vulnerability

Jenkins LDAP Plugin versions 807.v7d7de30930cf and earlier follow LDAP referrals from the configured LDAP server. These referrals can forward to an RMI URL, causing Jenkins to deserialize attacker-controlled data without any validation [1]. This deserialization can lead to remote code execution if deserialization gadgets are available on the classpath [1].

Exploitation

An attacker must either control the configured LDAP server or be able to perform a machine-in-the-middle attack to inject a malicious referral. The referral points to an RMI URL containing attacker-controlled serialized data. When Jenkins processes the referral, it deserializes the data, potentially triggering arbitrary code execution [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code on the Jenkins controller with the privileges of the Jenkins process. This results in full compromise of the Jenkins instance, including access to secrets, builds, and configurations [1].

Mitigation

The vulnerability is fixed in LDAP Plugin version 807.809.vd3a_4e5e4ec98, which no longer follows LDAP referrals. Users should update to this version or later. If unable to update, administrators can disable referral following using a Java system property as a workaround (see advisory [1] for details).