CVE-2026-48926

Vulnerability

Jenkins Job Import Plugin versions 143.v044a_2e819b_27 and earlier contain a missing permission check in an HTTP endpoint. This allows any authenticated user with the built-in Overall/Read permission to enumerate credential IDs of stored credentials. The affected endpoint does not verify that the user has the required Credentials/View or Credentials/Delete permissions before responding. [1]

Exploitation

An attacker must be authenticated to Jenkins and possess the Overall/Read permission, which is granted to all authenticated users by default in many configurations. No additional privileges are needed. The attacker sends a request to the unprotected endpoint and receives a list of credential IDs (not the secret values) that are stored in Jenkins. [1]

Impact

While credential IDs alone do not reveal the actual secrets, knowledge of these IDs can assist in further attacks. For example, an attacker may use them in combination with other vulnerabilities (such as cross-site request forgery or insecure direct object references) to manipulate or use the credentials in unauthorized ways. The confidentiality of credential metadata is compromised, potentially lowering the bar for privilege escalation. [1]

Mitigation

Jenkins has released Job Import Plugin version 144.v369c0c7fc7d8, which adds the missing permission check. Users should upgrade to this version or later. If upgrading is not immediately possible, consider restricting the Overall/Read permission to only trusted users, though this may affect normal operations. No other workaround is documented in the advisory. [1]