VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Jun 10, 2026· Updated Jun 10, 2026

CVE-2026-53439

CVE-2026-53439

Description

Jenkins 2.567 and earlier are vulnerable to information disclosure and potential RCE due to missing permission checks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins 2.567 and earlier are vulnerable to information disclosure and potential RCE due to missing permission checks.

Vulnerability

Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, suffer from missing permission checks. This allows attackers with Overall/Read permission to enumerate view names and determine other users' configured timezones [1].

Exploitation

Attackers require Overall/Read permission and a user account, or permissions to POST config.xml (such as Item/Configure or View/Configure). They can exploit this by submitting an attacker-controlled config.xml to deserialize arbitrary types, enabling them to handle HTTP requests afterwards [1].

Impact

Successful exploitation allows attackers to impersonate any user, send HTTP requests on their behalf, and potentially execute arbitrary code via the Script Console. They can also read arbitrary files from the Jenkins controller [1].

Mitigation

Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, are affected. A fixed version is available as of Jenkins 2.568 and LTS 2.555.3, released on June 10, 2026 [1].

References
  1. Jenkins Security Advisory 2026-06-10

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Jenkins Project/Jenkinsinferred2 versions
    <=2.567, Lts<=2.555.2+ 1 more
    • (no CPE)range: <=2.567, Lts<=2.555.2
    • (no CPE)range: <=2.567, LTS <=2.555.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

2