CVE-2026-53437

Vulnerability

Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, improperly determine that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between //. This allows attackers to craft malicious URLs that can be used for phishing attacks [1].

Exploitation

An attacker needs to have Overall/Read permission and either a user account or permissions allowing them to POST config.xml to exploit this vulnerability. The attacker can then submit a crafted config.xml file that leverages the improper redirect URL handling to perform phishing attacks [1].

Impact

Successful exploitation allows attackers to perform phishing attacks by redirecting users to malicious sites. This could lead to the compromise of user credentials or other sensitive information through deceptive means [1].

Mitigation

Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, are affected. The Jenkins project has released security advisories and fixed versions are expected. Users are advised to update to a patched version as soon as it becomes available. Further details can be found in the Jenkins security advisory [1].