CVE-2026-53438

Vulnerability

In Jenkins versions 2.567 and earlier, and LTS versions 2.555.2 and earlier, a missing permission check allows attackers with the Item/Cancel permission, but without Item/Read permission, to cancel queue items they are not authorized to view. This vulnerability stems from insufficient validation of permissions when interacting with queue items [1].

Exploitation

An attacker needs to possess the Item/Cancel permission but not the Item/Read permission on the Jenkins instance. With these permissions, the attacker can target and cancel queue items that they are otherwise unable to see or interact with, by exploiting the lack of a proper permission check before the cancellation action is performed [1].

Impact

Successful exploitation allows an attacker to cancel queue items that they do not have permission to view. While the immediate impact is limited to the cancellation of specific queue items, this could potentially disrupt legitimate build processes or operations managed through the Jenkins queue, leading to denial of service for specific tasks [1].

Mitigation

Jenkins version 2.568 and LTS version 2.555.3 have been released to address this vulnerability. Users are advised to update to these fixed versions as soon as possible. No workarounds are specified in the available references, and the vulnerability is not listed as being actively exploited in the wild [1].