Jenkins Project: 25 Plugin Vulnerabilities Disclosed Together on June 24, 2026
Key findings • 25 Jenkins plugins were affected by vulnerabilities disclosed on June 24, 2026. • Common themes include missing permission checks and cross-site request forgery (CSRF) across m…

Key findings
- 25 Jenkins plugins were affected by vulnerabilities disclosed on June 24, 2026.
- Common themes include missing permission checks and cross-site request forgery (CSRF) across multiple plugins.
- Vulnerabilities range from information disclosure and credential capture to arbitrary code execution.
- The Jenkins Project has released security advisories and patches for all affected plugins.
- Users are urged to update plugins promptly to mitigate risks.
On June 24, 2026, the Jenkins Project disclosed a significant batch of 25 vulnerabilities affecting various plugins. These vulnerabilities, all disclosed simultaneously, range in severity and impact, with many stemming from common weaknesses such as missing permission checks, cross-site request forgery (CSRF), and improper handling of user input. The widespread nature of these flaws across multiple plugins highlights the importance of diligent security practices within the Jenkins ecosystem.
Several plugins are affected by missing permission checks, allowing unauthorized access to sensitive information or actions. For instance, CVE-2026-57307 and CVE-2026-57304 in the Zowe zDevOps Plugin and EC2 Fleet Plugin, respectively, permit attackers with Overall/Read permission to capture credentials by connecting to attacker-specified URLs. Similarly, CVE-2026-57299 (Contrast Continuous Application Security Plugin) and CVE-2026-57286 (Git Parameter Plugin) allow for enumeration of metadata or SCM information due to insufficient permission checks. CVE-2026-57300 (MCP Server Plugin) enables reading pipeline replay scripts, while CVE-2026-57293 (Gitee Plugin) allows enumeration of credential IDs.
Cross-site request forgery (CSRF) is another recurring theme. CVE-2026-57306 (Zowe zDevOps Plugin), CVE-2026-57305 (Assembla Plugin), CVE-2026-57298 (Contrast Continuous Application Security Plugin), CVE-2026-57296 (EC2 Fleet Plugin), CVE-2026-57290 (Priority Sorter Plugin), and CVE-2026-57291 (Gitee Plugin) all involve CSRF vulnerabilities that could lead to unauthorized actions, credential capture, or configuration overwrites.
Specific plugin vulnerabilities include an XML External Entity (XXE) flaw in the Assembla Plugin (CVE-2026-57303), which could lead to secret extraction or server-side request forgery. The FitNesse Plugin (CVE-2026-57302) stores passwords unencrypted, making them accessible to users with Extended Read permission. The OWASP ZAP Plugin (CVE-2026-57301) has a critical vulnerability allowing arbitrary code execution on the Jenkins controller due to build operations being performed on the controller instead of the agent. Path traversal in the External Workspace Manager Plugin (CVE-2026-57296) allows attackers to read arbitrary files. The Bitbucket Push and Pull Request Plugin (CVE-2026-57289) has a vulnerability where SSL/TLS certificate validation is disabled, potentially exposing bearer tokens. The Active Directory Plugin (CVE-2026-57288) is susceptible to LDAP injection for user enumeration and authentication bypass. The Job Configuration History Plugin (CVE-2026-57287) fails to redact encrypted secrets in historical configurations. The Pipeline: Groovy Plugin (CVE-2026-57284) allows instantiation of restricted types via the Snippet Generator. Finally, the Git client Plugin (CVE-2026-57282) is vulnerable to arbitrary command execution on the agent due to improper escaping of the workspace directory name.
The Jenkins Project addressed these vulnerabilities through updates to the affected plugins. Users are strongly advised to consult the official Jenkins security advisory for detailed information on affected versions and the corresponding patched releases. Promptly updating all Jenkins plugins to their latest versions is crucial to mitigate the risks associated with these vulnerabilities.
This coordinated disclosure underscores the dynamic threat landscape surrounding CI/CD tools like Jenkins. Organizations relying on Jenkins should prioritize regular security audits and timely patching to maintain a robust security posture against evolving threats. The sheer number of vulnerabilities disclosed on a single day emphasizes the need for continuous vigilance and proactive security management.
The Jenkins security advisory for this batch can be found at: https://www.jenkins.io/security/advisory/2026-06-24/