VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Jun 10, 2026· Updated Jun 10, 2026

CVE-2026-53436

CVE-2026-53436

Description

Jenkins versions 2.567 and earlier are vulnerable to phishing attacks due to improper validation of redirect URLs after login.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins versions 2.567 and earlier are vulnerable to phishing attacks due to improper validation of redirect URLs after login.

Vulnerability

Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, improperly determine that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments like ./ or ../. This allows for the possibility of phishing attacks [1].

Exploitation

An attacker needs to have at least Overall/Read permission and a user account, or permissions allowing them to POST config.xml (e.g., Item/Configure, View/Configure, Agent/Configure). The attacker can then submit a crafted config.xml file that leverages Stapler's reflective access to deserialize arbitrary types, enabling them to handle HTTP requests afterwards [1].

Impact

Successful exploitation allows attackers to impersonate any user and send HTTP requests on their behalf, potentially leading to the execution of arbitrary code via the Script Console. Attackers can also read arbitrary files from the Jenkins controller [1].

Mitigation

Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, are affected. A fix is available in Jenkins 2.568 and LTS 2.555.3, released on June 10, 2026 [1].

References
  1. Jenkins Security Advisory 2026-06-10

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Jenkins Project/Jenkinsinferred2 versions
    <=2.567, L=2.555.2+ 1 more
    • (no CPE)range: <=2.567, L=2.555.2
    • (no CPE)range: <=2.567, LTS <=2.555.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

2