Skip to main content

Jenkins LDAP Plugin EUVDEUVD-2026-32507

| CVE-2026-48916 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-27 jenkinsci-cert@googlegroups.com GHSA-fmjp-mw89-c6h6
6.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.6 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:15 vuln.today

DescriptionCVE.org

Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals.

AnalysisAI

Unconstrained LDAP referral following in Jenkins LDAP Plugin (≤ 807.v7d7de30930cf) enables Server-Side Request Forgery, allowing a highly privileged attacker who controls LDAP configuration to force the Jenkins server to initiate connections to arbitrary internal hosts by supplying a malicious LDAP server that returns crafted referrals. The CVSS score of 6.6 reflects genuine constraints: network-reachable but requiring both high privileges and high attack complexity, with High confidentiality, integrity, and availability impact if those barriers are cleared. SSVC assessment confirms no current exploitation and a non-automatable attack path, though technical impact is rated total; no public exploit code has been identified at time of analysis.

Technical ContextAI

LDAP referrals (defined in RFC 3296) are a protocol mechanism allowing an LDAP server to redirect a client to another LDAP server for a specific query. When a client implementation follows these referrals without validation or restriction, the application can be directed to connect to arbitrary hosts and ports specified in the referral URL - a textbook instance of CWE-918 (Server-Side Request Forgery). The Jenkins LDAP Plugin uses an LDAP client library to authenticate users against a configured directory service; by not disabling referral chasing, Jenkins will faithfully follow referrals returned by whichever LDAP server it is pointed at. The CVSS vector (AV:N/AC:H/PR:H) confirms the attack surface: network-accessible but requiring administrative control over the LDAP plugin configuration. Affected product per ENISA EUVD-2026-32507 and NVD is Jenkins LDAP Plugin through version 807.v7d7de30930cf.

RemediationAI

The primary fix is to upgrade the Jenkins LDAP Plugin to a version beyond 807.v7d7de30930cf that disables or restricts LDAP referral following, as documented in the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3654. The exact patched version number is not specified in the available input data - consult the advisory directly to confirm the precise fixed release before deploying. As compensating controls pending upgrade, administrators should audit and minimize who holds Jenkins Overall/Administer privileges, since this reduces the pool of principals capable of altering LDAP configuration to enable exploitation. Additionally, implementing outbound network firewall rules on the Jenkins host to restrict LDAP connections (TCP 389 and TCP 636) to only the authorized directory server addresses will contain the SSRF blast radius by preventing Jenkins from reaching arbitrary internal endpoints even if a malicious referral is returned. Note that overly broad outbound restrictions may interfere with legitimate LDAP operations if referrals to authorized secondary directory servers are in use.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2016-0792 HIGH POC
8.8 Apr 07

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex

CVE-2015-5317 HIGH
7.5 Nov 25

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j

CVE-2016-0788 CRITICAL
9.8 Apr 07

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003005 HIGH POC
8.8 Feb 06

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2019-1003030 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/

Share

EUVD-2026-32507 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy