CVE-2026-9674

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Multijob Plugin versions 662.vd2e0001f6b_b_d and earlier [1]. The plugin does not properly validate or require a token for the HTTP endpoint that resumes failed Multijob builds, allowing an attacker to craft a malicious web request that, when visited by an authenticated Jenkins user, executes an unintended action on the user's behalf [1].

Exploitation

An attacker can exploit this vulnerability by hosting a crafted webpage or email link that triggers a GET or POST request to the Jenkins server endpoint responsible for resuming failed Multijob builds [1]. The attacker does not need authentication if they can trick a valid Jenkins user with the appropriate permissions (e.g., Job/Build permission) into clicking the link or loading the malicious content in their browser when they are logged into Jenkins [1]. No other special network position or race condition is required.

Impact

A successful CSRF attack allows the attacker to resume a previously failed Multijob build on the Jenkins controller [1]. This can lead to unintended build executions, potential service disruption, or triggering downstream jobs in the pipeline chain. While the attack does not directly disclose sensitive information or achieve code execution, it can disrupt operations or cause a denial of service by repeatedly resuming failed builds [1].

Mitigation

Jenkins has released Multijob Plugin version 663.v59aba_7c0b_b_a_8 which includes a CSRF token check for the resume endpoint, fixing this vulnerability [1]. Users should upgrade to this version or later. No workaround is documented for versions that cannot be updated [1]. The plugin is not listed on the CISA KEV as of the publication date [1].