CVE-2026-48925

Vulnerability

The Jenkins GitHub Integration Plugin version 0.7.3 and earlier is vulnerable to cross-site request forgery (CSRF) attacks. This allows an attacker to trick a Jenkins user with sufficient permissions into executing unintended actions, specifically triggering a build for a pull request. The vulnerability is present in the plugin's web endpoints that handle build triggers without proper CSRF tokens or validation [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious web page or link that, when visited by an authenticated Jenkins user, triggers a build for a pull request. The attacker does not need direct access to Jenkins but relies on the victim's session and permissions. The attack requires no special precondition other than the victim having the ability to trigger builds for pull requests via the plugin [1].

Impact

Successful exploitation allows an attacker to trigger unauthorized builds for pull requests, potentially causing resource consumption, disruption of development workflows, or further exploitation if the build process is misused. The impact is limited to build triggering; no code execution or data disclosure is directly achieved [1].

Mitigation

As of the publication date (2026-05-27), no fixed version of the GitHub Integration Plugin has been disclosed in the available references. Users should consider disabling the plugin if not essential, or apply general CSRF protection measures such as using Jenkins' built-in CSRF protection (which should be enabled by default). Monitor for updates from Jenkins [1].