Jenkins Patches 7 High-Severity Plugin Flaws, Including Path Traversal and XSS Bugs
Jenkins released a security advisory on April 29, 2026, patching seven vulnerabilities across six plugins, including a high-severity path traversal bug that can lead to remote code execution.
Jenkins released a security advisory on April 29, 2026, addressing seven vulnerabilities across six plugins, including the Credentials Binding, GitHub, GitHub Branch Source, HTML Publisher, Matrix Authorization Strategy, Microsoft Entra ID, and Script Security plugins. The most severe flaw, CVE-2026-42520, is a path traversal vulnerability in the Credentials Binding Plugin rated High severity. Attackers who can provide credentials to a job can write files to arbitrary locations on the node filesystem, and if Jenkins is configured to allow low-privileged users to configure file or zip file credentials for jobs running on the built-in node, this can lead to remote code execution. Jenkins recommends updating Credentials Binding Plugin to version 720.v3f6decef43ea_, which sanitizes file names and prevents path traversal.
Two stored cross-site scripting (XSS) vulnerabilities were also patched. CVE-2026-42523 affects the GitHub Plugin (versions 1.46.0 and earlier), where the plugin improperly processes the current job URL as part of JavaScript implementing validation of the 'GitHub hook trigger for GITScm polling' feature. This allows non-anonymous attackers with Overall/Read permission to exploit stored XSS. GitHub Plugin version 1.46.0.1 no longer processes the job URL in that manner. CVE-2026-42524 affects the HTML Publisher Plugin (version 427 and earlier), where the job name and URL are not escaped in the legacy wrapper file. Attackers with Item/Configure permission can exploit stored XSS. HTML Publisher Plugin 427.1 escapes job name and URL when generating new wrappers, though existing wrappers remain unaffected.
Several medium-severity vulnerabilities were also addressed. CVE-2026-42519 in Script Security Plugin (version 1399.ve6a_66547f6e1 and earlier) lacks a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths. The fix in Script Security Plugin 1402.v94c9ce464861 requires Overall/Administer permission for this operation. CVE-2026-42521 in Matrix Authorization Strategy Plugin (versions 2.0-beta-1 through 3.2.9) involves unsafe deserialization where parameterless constructors of arbitrary classes can be invoked. Attackers with Item/Configure permission can instantiate arbitrary types, potentially leading to information disclosure. Matrix Authorization Strategy Plugin 3.2.10 restricts instantiation to inheritance strategy implementations.
CVE-2026-42522 in GitHub Branch Source Plugin (version 1967.vdea_d580c1a_b_a_ and earlier) lacks a permission check in a method implementing form validation. Attackers with Overall/Read permission can connect to an attacker-specified URL with attacker-specified GitHub App credentials. The fix in version 1967.1969.v205fd594c821 requires Overall/Manage permission. CVE-2026-42525 in Microsoft Entra ID (previously Azure AD) Plugin (version 666.v6060de32f87d and earlier) is an open redirect vulnerability after login, enabling phishing attacks. Version 667.v4c5827a_e74a_0 restricts redirects to relative Jenkins URLs.
Security teams managing Jenkins instances should prioritize updating to the latest plugin versions. The Credentials Binding flaw is particularly critical because it can chain into remote code execution on the built-in node, which is a common deployment scenario. The XSS bugs, while requiring some user interaction, can be leveraged to steal session tokens or perform actions on behalf of administrators. Jenkins disclosed all CVEs with CVSS scores ranging from Medium to High, and none are listed as exploited in the wild at this time. However, given the widespread adoption of Jenkins in enterprise CI/CD pipelines, administrators should apply patches promptly.