CVE-2026-48918

Vulnerability

Jenkins Active Directory Plugin versions 2.41 and earlier follows LDAP referrals from the configured Active Directory server by default. A malicious LDAP referral can point to an RMI URL, causing Jenkins to deserialize attacker-controlled data. This affects all installations where the plugin is configured to connect to an Active Directory server. [1]

Exploitation

An attacker who can control the configured Active Directory server (e.g., by compromising it via other means) or who can perform a machine-in-the-middle attack between Jenkins and the LDAP server can send a crafted LDAP referral response. The referral points to an RMI endpoint under the attacker’s control. Jenkins will follow the referral, fetch the serialized object from the RMI server, and attempt to deserialize it. [1]

Impact

Successful exploitation results in remote code execution (RCE) on the Jenkins controller. The attacker gains arbitrary code execution at the privilege level of the Jenkins controller process, which typically has full access to Jenkins configuration, jobs, and secrets. The impact is limited if deserialization gadget chains are not present on the classpath. [1]

Mitigation

Fixed in Active Directory Plugin version 2.41.1, released on 2026-05-27, which no longer follows LDAP referrals by default. Administrators unable to update can start Jenkins with the Java system property -Dhudson.plugins.active_directory.ActiveDirectorySecurityRealm.followReferrals=false to disable referral following as a workaround. [1]