What is the CVSS score of CVE-2026-27100?

CVE-2026-27100 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Jenkins are affected by CVE-2026-27100?

CVE-2026-27100 presents moderate security risk, a information exposure vulnerability rated CVSS 4.3. Sensitive information could be exposed to unauthorized parties.. A patch is available.

Jenkins CVE-2026-27100

MEDIUM

Information Exposure (CWE-200)

2026-02-18 jenkinsci-cert@googlegroups.com

GHSA-wfhp-qgm8-5p5c

Jenkins Red Hat

4.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 18, 2026 - 15:18 nvd

MEDIUM 4.3

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 maven packages depend on org.jenkins-ci.main:jenkins-core (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.542.

DescriptionNVD

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.

AnalysisAI

Jenkins versions 2.550 and earlier fail to properly validate Run Parameter access controls, allowing authenticated users with Item/Build and Item/Configure permissions to enumerate sensitive information about jobs, builds, and their display names they should not have access to. This information disclosure vulnerability affects Jenkins LTS 2.541.1 and earlier, with no patch currently available. …

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Review data exposure and access controls.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory