Skip to main content

Active Directory Plugin CVE-2026-48919

| EUVDEUVD-2026-32510 MEDIUM
Deserialization of Untrusted Data (CWE-502)
2026-05-27 jenkinsci-cert@googlegroups.com GHSA-p2gw-f3rv-82mw
6.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.6 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 21:14 vuln.today
CVE Published
May 27, 2026 - 15:16 nvd
MEDIUM 6.6

DescriptionCVE.org

Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation.

AnalysisAI

Unsafe deserialization in Jenkins Active Directory Plugin 2.41 and earlier allows a remote attacker holding administrative credentials to achieve full system compromise by manipulating the LDAP referral processing path. The plugin deserializes data received from LDAP referrals without validation (CWE-502), which can enable arbitrary code execution on the Jenkins controller. No public exploit exists at time of analysis, and CISA SSVC assesses this as not automatable, though technical impact is rated total - making it a targeted rather than opportunistic threat.

Technical ContextAI

Jenkins Active Directory Plugin integrates Jenkins with Microsoft Active Directory authentication via LDAP. LDAP referrals are standard protocol responses where one directory server redirects a client to query another - a feature this plugin follows automatically during authentication lookups. The root cause is CWE-502 (Deserialization of Untrusted Data): when the plugin receives and processes data from a referred LDAP server, it deserializes the content without any integrity or class validation. This is a well-understood Java attack primitive - a crafted serialized object payload embedded in the referral response can trigger gadget chains leading to arbitrary code execution. The affected CPE scope covers Jenkins Active Directory Plugin from version 0 through 2.41 inclusive, as confirmed by EUVD-2026-32510.

RemediationAI

The primary remediation is to upgrade Jenkins Active Directory Plugin to a version beyond 2.41 as directed by the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3659. The exact patched release version number is not independently confirmed from the provided input data and must be obtained directly from that advisory. As a compensating control where immediate patching is not feasible, administrators can disable LDAP referral following in the Active Directory plugin configuration, preventing the plugin from processing data from referred LDAP servers entirely; note this may break cross-domain or multi-forest Active Directory authentication. Strictly enforcing the principle of least privilege for Jenkins administrative accounts reduces the attack surface, since PR:H is a hard prerequisite for exploitation. Network-level egress filtering restricting outbound LDAP connections from the Jenkins host to only known, trusted domain controllers limits exposure to attacker-controlled referral endpoints.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2016-0792 HIGH POC
8.8 Apr 07

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex

CVE-2015-5317 HIGH
7.5 Nov 25

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j

CVE-2016-0788 CRITICAL
9.8 Apr 07

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003005 HIGH POC
8.8 Feb 06

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2019-1003030 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/

Share

CVE-2026-48919 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy