Jenkins Patches Multiple Plugin Vulnerabilities Including RCE, File Read, and Path Traversal Flaws
Jenkins released a security advisory addressing 11 vulnerabilities across plugins including LDAP, Active Directory, Email Extension, and Pipeline: Groovy Libraries, with some flaws enabling remote code execution.
Jenkins published its Security Advisory 2026-05-27 on Wednesday, disclosing a batch of vulnerabilities affecting a wide range of plugins. The advisory covers 11 distinct security flaws in plugins including Active Directory, AppSpider, Bitbucket OAuth, buildgraph-view, Credentials Binding, Email Extension, GitHub Integration, Job Import, LDAP, Multijob, and Pipeline: Groovy Libraries. Several of the vulnerabilities carry a High severity rating, and administrators are urged to update affected plugins immediately.
Two of the most critical issues involve remote code execution (RCE) through unvalidated LDAP referrals. The LDAP Plugin (versions 807.v7d7de30930cf and earlier) and the Active Directory Plugin (versions 2.41 and earlier) both follow LDAP referrals from their configured servers. These referrals can forward to an RMI URL, causing Jenkins to deserialize attacker-controlled data. If deserialization "gadgets" are available on the classpath, an attacker who controls the LDAP server or can perform a machine-in-the-middle attack can execute arbitrary code on the Jenkins controller. The LDAP Plugin update (807.809.vd3a_4e5e4ec98) stops following referrals entirely, while the Active Directory Plugin (2.41.1) disables the behavior by default but allows administrators to re-enable it via a Java system property.
Two High-severity arbitrary file read vulnerabilities were also patched. The Email Extension Plugin (versions 1933.v45cec755423f and earlier) allowed inlining images as base64 in email content via a `data-inline` attribute, with no restrictions on the image URLs. Attackers who control email content could specify `file:` URLs to read arbitrary files from the Jenkins controller filesystem. The feature has been removed in version 1933.1935.v276319e3cc47. Separately, the Pipeline: Groovy Libraries Plugin (versions 797.v90ea_a_9b_e45a_0 and earlier) did not prohibit symbolic links in shared libraries, allowing attackers who control library content to read arbitrary files. Version 798.v5cc688825312 blocks symbolic links.
A path traversal vulnerability in the Credentials Binding Plugin (versions 720.v3f6decef43ea_ and earlier) could allow attackers to write files to arbitrary locations on the node filesystem. If Jenkins is configured to allow low-privileged users to configure file or zip file credentials for jobs running on the built-in node, this could lead to remote code execution. The fix in version 725.ve52b_2328a_fde improves sanitization of file names for file and zip file credentials.
Additional medium-severity issues include a missing permission check in the AppSpider Plugin (CVE-2026-48923) that allows attackers with Overall/Read permission to connect to attacker-specified URLs, an open redirect in the Bitbucket OAuth Plugin (CVE-2026-48924) that could be used for phishing, and a CSRF vulnerability in the GitHub Integration Plugin (CVE-2026-48925) that allows attackers to trigger actions without proper request method validation. The full advisory with all CVE identifiers and affected versions is available on the Jenkins security advisory page.
Jenkins administrators should prioritize updating the LDAP, Active Directory, Email Extension, Pipeline: Groovy Libraries, and Credentials Binding plugins, as these carry the highest risk of code execution or sensitive data exposure. The advisory follows a pattern of periodic security updates from Jenkins, which maintains a large ecosystem of community-developed plugins that can introduce vulnerabilities if not properly maintained.