Skip to main content

Jenkins Assembla Plugin CVE-2026-57303

| EUVDEUVD-2026-38784 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-24 jenkins GHSA-2q27-6p2h-q6r3
7.1
CVSS 3.1 · Vendor: jenkins
Share

Severity by source

Vendor (jenkins) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
5.9 MEDIUM

Attacker must control the Assembla server's responses (a non-trivial precondition) so AC:H rather than AC:L; PR:L for the configured-integration foothold; high confidentiality from secret/file disclosure, low integrity via SSRF, no availability impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (jenkins).

CVSS VectorVendor: jenkins

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 24, 2026 - 16:20 vuln.today
CVSS changed
Jun 24, 2026 - 15:22 NVD
7.1 (HIGH)
CVE Published
Jun 24, 2026 - 13:20 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Jenkins Assembla Plugin 1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers able to control the responses of the configured Assembla server to extract secrets from the Jenkins controller or perform server-side request forgery.

AnalysisAI

XML external entity (XXE) injection in the Jenkins Assembla Plugin version 1.4 and earlier lets an attacker who can control the HTTP responses of the configured Assembla server read sensitive files and secrets from the Jenkins controller and pivot into internal services via server-side request forgery. Mapped to CWE-918 (SSRF) with a CVSS 3.1 base score of 7.1 (high), there is no public exploit identified at time of analysis and CISA SSVC rates exploitation as 'none' with only partial technical impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain control of configured Assembla server responses
Delivery
Deliver crafted XML with external entity
Exploit
Jenkins controller parses XXE payload
Execution
Resolve file:// or http:// entity
Impact
Exfiltrate controller secrets or trigger SSRF

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker can control the HTTP/XML responses returned by the Assembla server that a Jenkins job is configured to communicate with - for example a compromised/malicious Assembla instance or a man-in-the-middle position on a non-validated or plaintext connection. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to a real-but-conditional issue rather than a drop-everything emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or impersonates the Assembla server configured in a Jenkins job (via a compromised endpoint or a man-in-the-middle on an unencrypted connection) returns a crafted XML payload containing a malicious external entity. When the Jenkins controller parses that response, the XXE entity reads a local secret file (e.g., credentials) or forces the controller to issue requests to internal systems (SSRF). …
Remediation No vendor-released patched version is identified in the available data, so a specific upgrade target cannot be cited; consult the Jenkins advisory at https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3692%20(1) for the current fix status and apply any released update once available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Jenkins instances running Assembla Plugin and identify installed versions via plugin manager. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57303 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy