CVE-2026-48923

Vulnerability

Jenkins AppSpider Plugin version 1.0.17 and earlier contains a missing permission check in a method that implements form validation. This allows any user with the Overall/Read permission to perform a Server-Side Request Forgery (SSRF) by connecting to an attacker-specified URL.

Exploitation

An attacker needs to have Overall/Read permission in Jenkins (a default permission for most users). The attacker can then craft a POST request that triggers the form validation endpoint, supplying an arbitrary URL. Jenkins will attempt to connect to that URL from the controller.

Impact

Successful exploitation allows the attacker to cause Jenkins to make HTTP requests to internal or external services. This can be used to probe internal network resources, scan for open ports, or interact with other services that are reachable from the Jenkins controller. The vulnerability is an information disclosure and network reconnaissance vector.

Mitigation

Jenkins AppSpider Plugin 1.0.17 and earlier are affected. No fixed version was mentioned in the advisory [1]. Administrators should consider disabling the plugin if not in use, or applying a workaround such as restricting Overall/Read permissions only to trusted users. The advisory [1] does not list this CVE in the KEV program.