CVE-2026-53442

Vulnerability

Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, do not encrypt secrets submitted via POST config.xml requests before storing them in job configuration files. These secrets are stored unencrypted in job config.xml files on the Jenkins controller, making them accessible to users with Item/Extended Read permission or direct file system access [1].

Exploitation

An attacker needs Overall/Read permission and at least one permission to POST config.xml (e.g., Item/Configure, View/Configure, Agent/Configure) to exploit this vulnerability. They can submit a crafted config.xml to trigger deserialization of arbitrary types, allowing them to handle HTTP requests. This can be used to impersonate users, send HTTP requests on their behalf, or access the Script Console to run arbitrary code [1].

Impact

Successful exploitation allows an attacker to impersonate any user, send HTTP requests on their behalf, potentially leading to arbitrary code execution via the Script Console. Attackers can also read arbitrary files from the Jenkins controller [1]. The scope of the compromise is determined by the permissions of the impersonated user and the Jenkins controller's file system access.

Mitigation

Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, are affected. The advisory does not specify a fixed version or release date for this particular vulnerability (SECURITY-3744). No workarounds are mentioned in the available references [1].