Skip to main content

Jenkins Pipeline Plugin CVE-2026-57283

| EUVDEUVD-2026-38763 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-24 jenkins GHSA-72c8-3wwg-r59w
4.3
CVSS 3.1 · Vendor: jenkins
Share

Severity by source

Vendor (jenkins) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
3.5 LOW

CSRF canonically requires victim interaction (UI:R); PR:L confirmed because authentication is required; no confidentiality or availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (jenkins).

CVSS VectorVendor: jenkins

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 24, 2026 - 16:22 vuln.today
CVSS changed
Jun 24, 2026 - 15:22 NVD
4.3 (None) 4.3 (MEDIUM)
CVE Published
Jun 24, 2026 - 13:20 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier allows attackers to instantiate types related to job or system configuration other than Pipeline steps through the Pipeline Snippet Generator.

AnalysisAI

Cross-site request forgery in the Jenkins Pipeline: Groovy Plugin (versions up to and including 4331.v9d06ed4658ff) enables authenticated low-privilege users to instantiate arbitrary Java types related to job or system configuration by exploiting the unprotected Pipeline Snippet Generator endpoint. The attacker can reach types outside the normally permitted set of Pipeline steps, potentially influencing configuration objects that should be off-limits at their privilege level. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Jenkins with low-privilege account
Delivery
Identify Pipeline Snippet Generator API endpoint
Exploit
Craft HTTP request omitting CSRF crumb token
Execution
Submit request to instantiate restricted configuration type
Impact
Configuration object instantiated outside normal privilege boundary

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Jenkins session with at minimum low-privilege access (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) reflects a moderate, low-integrity-impact issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privilege Jenkins user - such as a developer with read and build rights but no configuration authority - crafts a direct HTTP request to the Pipeline Snippet Generator API endpoint, omitting the CSRF crumb token. Because the endpoint lacks crumb validation, Jenkins accepts the request and instantiates a configuration-related Java type (e.g., a credentials binding or job property object) that the user could not otherwise access through the normal UI. …
Remediation The primary remediation is upgrading the Jenkins Pipeline: Groovy Plugin to a version beyond 4331.v9d06ed4658ff as directed by the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3677. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-57283 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy