Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals.
AnalysisAI
Unconstrained LDAP referral following in Jenkins LDAP Plugin (≤ 807.v7d7de30930cf) enables Server-Side Request Forgery, allowing a highly privileged attacker who controls LDAP configuration to force the Jenkins server to initiate connections to arbitrary internal hosts by supplying a malicious LDAP server that returns crafted referrals. The CVSS score of 6.6 reflects genuine constraints: network-reachable but requiring both high privileges and high attack complexity, with High confidentiality, integrity, and availability impact if those barriers are cleared. SSVC assessment confirms no current exploitation and a non-automatable attack path, though technical impact is rated total; no public exploit code has been identified at time of analysis.
Technical ContextAI
LDAP referrals (defined in RFC 3296) are a protocol mechanism allowing an LDAP server to redirect a client to another LDAP server for a specific query. When a client implementation follows these referrals without validation or restriction, the application can be directed to connect to arbitrary hosts and ports specified in the referral URL - a textbook instance of CWE-918 (Server-Side Request Forgery). The Jenkins LDAP Plugin uses an LDAP client library to authenticate users against a configured directory service; by not disabling referral chasing, Jenkins will faithfully follow referrals returned by whichever LDAP server it is pointed at. The CVSS vector (AV:N/AC:H/PR:H) confirms the attack surface: network-accessible but requiring administrative control over the LDAP plugin configuration. Affected product per ENISA EUVD-2026-32507 and NVD is Jenkins LDAP Plugin through version 807.v7d7de30930cf.
RemediationAI
The primary fix is to upgrade the Jenkins LDAP Plugin to a version beyond 807.v7d7de30930cf that disables or restricts LDAP referral following, as documented in the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3654. The exact patched version number is not specified in the available input data - consult the advisory directly to confirm the precise fixed release before deploying. As compensating controls pending upgrade, administrators should audit and minimize who holds Jenkins Overall/Administer privileges, since this reduces the pool of principals capable of altering LDAP configuration to enable exploitation. Additionally, implementing outbound network firewall rules on the Jenkins host to restrict LDAP connections (TCP 389 and TCP 636) to only the authorized directory server addresses will contain the SSRF blast radius by preventing Jenkins from reaching arbitrary internal endpoints even if a malicious referral is returned. Note that overly broad outbound restrictions may interfere with legitimate LDAP operations if referrals to authorized secondary directory servers are in use.
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32507
GHSA-fmjp-mw89-c6h6