Skip to main content

Jenkins CVE-2026-53442

| EUVDEUVD-2026-36026 MEDIUM
Missing Encryption of Sensitive Data (CWE-311)
2026-06-10 jenkins GHSA-m6wv-wh8g-64xc
5.3
CVSS 3.1 · Vendor: jenkins
Share

Severity by source

Vendor (jenkins) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (jenkins).

CVSS VectorVendor: jenkins

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 10, 2026 - 16:48 vuln.today
CVSS changed
Jun 10, 2026 - 16:22 NVD
5.3 (MEDIUM)
CVE Published
Jun 10, 2026 - 13:06 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.

AnalysisAI

Unencrypted secret storage in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) exposes credentials submitted via POST config.xml to any user holding Item/Extended Read permission or with read access to the Jenkins controller filesystem. Secrets that should be encrypted at rest are written as plaintext into job config.xml files, making them directly readable through Jenkins' built-in permission model or OS-level file access. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, but the privileged insider and lateral-movement risk is significant for organizations embedding CI/CD credentials in job configurations.

Technical ContextAI

Jenkins stores job configurations as XML files (config.xml) on the controller filesystem under the Jenkins home directory. When jobs contain secret fields - such as passwords, API tokens, or injected credentials - these values are normally encrypted before being written to disk using Jenkins' internal secret store. CWE-311 (Missing Encryption of Sensitive Data) describes the root cause: the controller does not apply encryption to secrets submitted via HTTP POST to the config.xml endpoint before persisting them, leaving plaintext credential values in the job's config.xml file. The CPE cpe:2.3:a:jenkins_project:jenkins:*:*:*:*:*:*:*:* covers all Jenkins Project distributions up to the patched releases. Any user or process able to read these files - via the Jenkins API under Item/Extended Read or via direct filesystem access - can extract the plaintext secrets.

RemediationAI

Upgrade to Jenkins 2.568 or later for weekly release users, or Jenkins LTS 2.555.3 or later for LTS users, per the vendor advisory at https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3744 and ENISA EUVD-2026-36026. These are the vendor-confirmed patched versions. If immediate upgrade is not feasible, restrict Item/Extended Read permissions in the Jenkins authorization matrix to only highly trusted operators, since this permission is the primary read path for job config.xml files - note that tightening this permission may break legitimate read-only access workflows that depend on it. Additionally, audit the Jenkins controller filesystem (typically $JENKINS_HOME/jobs/*/config.xml) for plaintext secrets in existing job configurations, and rotate any credentials found exposed, since files written before patching will remain unencrypted on disk even after upgrading. Limit OS-level read access to the Jenkins home directory to the jenkins service account to reduce filesystem exposure as a compensating control.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2016-0792 HIGH POC
8.8 Apr 07

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex

CVE-2015-5317 HIGH
7.5 Nov 25

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j

CVE-2016-0788 CRITICAL
9.8 Apr 07

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003005 HIGH POC
8.8 Feb 06

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2019-1003030 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/

Vendor StatusVendor

Share

CVE-2026-53442 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy