CVE-2026-53440
Description
Jenkins allows attackers with specific permissions to redirect users to malicious sites after login, enabling phishing attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins allows attackers with specific permissions to redirect users to malicious sites after login, enabling phishing attacks.
Vulnerability
Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, do not properly validate the from parameter used for redirects after login. This allows attackers to redirect users to arbitrary, attacker-controlled domains.
Exploitation
An attacker needs to trick a user into clicking a crafted link that initiates a login process. The vulnerability lies in the server-side handling of the from parameter, which is intended to specify the redirect destination after successful authentication. By manipulating this parameter, an attacker can redirect the user's browser to a domain they control.
Impact
Successful exploitation allows attackers to perform phishing attacks by redirecting users to malicious websites. This can lead to the theft of user credentials or other sensitive information, as users may believe they are interacting with a legitimate Jenkins instance.
Mitigation
This vulnerability is addressed in Jenkins 2.567 and LTS 2.555.2 and earlier. The Jenkins Security Advisory 2026-06-10 [1] provides details on the fix. Users are advised to update to a patched version of Jenkins. No workarounds are mentioned in the available references.
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.567, LTS <=2.555.2
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
2- Jenkins Core: Eight Vulnerabilities Disclosed Together on June 10, 2026Vypr Intelligence · Jun 10, 2026
- Jenkins Security Advisory 2026-06-10Jenkins Security Advisories · Jun 10, 2026