CVE-2026-48919

Vulnerability

Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals from the configured Active Directory server by default without validating the data received. These referrals can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in a deserialization vulnerability [1]. The affected versions are 2.41 and all earlier releases.

Exploitation

An attacker who can control the configured Active Directory server, or who can perform a machine-in-the-middle attack on the LDAP connection, can craft a malicious LDAP referral that points to an RMI endpoint. When Jenkins follows the referral, it deserializes the attacker-supplied data without validation [1]. No additional authentication or user interaction is required beyond the initial configuration of the Active Directory server.

Impact

Successful exploitation allows an attacker to achieve remote code execution (RCE) on the Jenkins controller if the required deserialization "gadgets" are available on the classpath [1]. The attacker gains full control over the Jenkins controller at the privilege level of the Jenkins process.

Mitigation

Active Directory Plugin version 2.41.1, released on 2026-05-27, no longer follows LDAP referrals by default, mitigating this vulnerability [1]. Administrators unable to update immediately can start Jenkins with the system property -Djenkins.security.FollowLDAPReferrals=false as a workaround [1].