Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from Vendor (jenkins).
CVSS VectorVendor: jenkins
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (./ or ../), allowing attackers to perform phishing attacks.
AnalysisAI
Open redirect exploitation in Jenkins allows unauthenticated network attackers to craft login URLs that bypass the post-authentication redirect validation and forward users to attacker-controlled external sites. Affected are Jenkins weekly releases through 2.567 and LTS releases through 2.555.2, where the redirect URL legitimacy check fails when the URL contains relative path segments such as ./ or ../. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, placing this in a moderate-risk, phishing-enablement category rather than a direct system compromise class.
Technical ContextAI
CWE-601 (URL Redirection to Untrusted Site / Open Redirect) describes the root cause: insufficient validation of user-controlled redirect targets. Jenkins accepts a redirect URL parameter during the login flow to return users to their intended destination post-authentication. The flawed validation logic incorrectly classifies URLs containing relative path traversal segments (./ or ../) as internal Jenkins destinations, when in fact these segments can be used to construct paths resolving to external domains. The affected component is the Jenkins core application itself (CPE: cpe:2.3:a:jenkins_project:jenkins:*:*:*:*:*:*:*:*), spanning both the weekly release channel and the Long-Term Support (LTS) release channel. The flaw is architectural - the parser trusts path-segment normalization to constrain the redirect target but does not account for how relative traversal sequences resolve when prepended to an external scheme.
RemediationAI
The primary fix is to upgrade to Jenkins 2.568 (weekly channel) or Jenkins LTS 2.555.3, both of which contain the corrected redirect URL validation logic per the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3711+3755. These patch versions are confirmed by the ENISA EUVD record EUVD-2026-36020 and the oss-security disclosure at https://seclists.org/oss-sec/2026/q2/867. If immediate upgrade is not feasible, a compensating control is to place Jenkins behind a reverse proxy or WAF configured to strip or reject redirect query parameters on the login endpoint - note this may break legitimate deep-linking workflows and should be tested before deployment. Alternatively, network-level controls restricting access to the Jenkins login page to trusted IP ranges would reduce exposure to external phishing link delivery, though this does not eliminate the vulnerability for insider-threat or spear-phishing scenarios. No workaround is a substitute for patching; schedule upgrade at the earliest practical maintenance window.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36020
GHSA-3rqh-hch3-jhpc