Skip to main content

Jenkins CVE-2026-53436

| EUVDEUVD-2026-36020 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-06-10 jenkins GHSA-3rqh-hch3-jhpc
4.3
CVSS 3.1 · Vendor: jenkins
Share

Severity by source

Vendor (jenkins) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Red Hat
4.3 MEDIUM
qualitative

Primary rating from Vendor (jenkins).

CVSS VectorVendor: jenkins

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 10, 2026 - 16:43 vuln.today
CVSS changed
Jun 10, 2026 - 16:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 10, 2026 - 13:05 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (./ or ../), allowing attackers to perform phishing attacks.

AnalysisAI

Open redirect exploitation in Jenkins allows unauthenticated network attackers to craft login URLs that bypass the post-authentication redirect validation and forward users to attacker-controlled external sites. Affected are Jenkins weekly releases through 2.567 and LTS releases through 2.555.2, where the redirect URL legitimacy check fails when the URL contains relative path segments such as ./ or ../. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, placing this in a moderate-risk, phishing-enablement category rather than a direct system compromise class.

Technical ContextAI

CWE-601 (URL Redirection to Untrusted Site / Open Redirect) describes the root cause: insufficient validation of user-controlled redirect targets. Jenkins accepts a redirect URL parameter during the login flow to return users to their intended destination post-authentication. The flawed validation logic incorrectly classifies URLs containing relative path traversal segments (./ or ../) as internal Jenkins destinations, when in fact these segments can be used to construct paths resolving to external domains. The affected component is the Jenkins core application itself (CPE: cpe:2.3:a:jenkins_project:jenkins:*:*:*:*:*:*:*:*), spanning both the weekly release channel and the Long-Term Support (LTS) release channel. The flaw is architectural - the parser trusts path-segment normalization to constrain the redirect target but does not account for how relative traversal sequences resolve when prepended to an external scheme.

RemediationAI

The primary fix is to upgrade to Jenkins 2.568 (weekly channel) or Jenkins LTS 2.555.3, both of which contain the corrected redirect URL validation logic per the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3711+3755. These patch versions are confirmed by the ENISA EUVD record EUVD-2026-36020 and the oss-security disclosure at https://seclists.org/oss-sec/2026/q2/867. If immediate upgrade is not feasible, a compensating control is to place Jenkins behind a reverse proxy or WAF configured to strip or reject redirect query parameters on the login endpoint - note this may break legitimate deep-linking workflows and should be tested before deployment. Alternatively, network-level controls restricting access to the Jenkins login page to trusted IP ranges would reduce exposure to external phishing link delivery, though this does not eliminate the vulnerability for insider-threat or spear-phishing scenarios. No workaround is a substitute for patching; schedule upgrade at the earliest practical maintenance window.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Vendor StatusVendor

Share

CVE-2026-53436 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy