CVE-2026-48920

Vulnerability

Jenkins Email Extension Plugin versions 1933.v45cec755423f and earlier allow inlining images as base64 in email content by setting the data-inline attribute, without restricting the image URLs that can be inlined [1]. This enables attackers who can control the email content to specify file: URLs for images, exploiting the lack of validation to read arbitrary files from the Jenkins controller filesystem [1].

Exploitation

An attacker capable of controlling the email content (e.g., through a project that sends email notifications or via another plugin that allows email content injection) can insert an image tag with a data-inline attribute pointing to a file: URL, such as ``. The plugin then processes this URL and reads the file from the controller’s filesystem, embedding its content inline as a base64-encoded image in the email [1].

Impact

Successful exploitation allows the attacker to read arbitrary files on the Jenkins controller filesystem, leading to information disclosure of sensitive data such as credentials, configuration files, and secrets accessible to the Jenkins process [1]. The impact is limited to file read, not code execution, but can severely compromise confidentiality.

Mitigation

Jenkins has released a fix in Email Extension Plugin version 1934.v15751df72d56, which no longer inlines images with file: URLs [1]. Users are advised to upgrade to this version or later. There is no known workaround for unpatched versions [1]. The vulnerability is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.