Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation.
AnalysisAI
Jenkins LDAP Plugin versions up to and including 807.v7d7de30930cf deserializes Java objects returned via LDAP referral responses without any validation, exposing the underlying Jenkins instance to potential remote code execution via classic Java deserialization gadget chains. Exploitation is constrained by a high privilege requirement and high attack complexity (CVSS PR:H/AC:H), limiting realistic scenarios to attackers who already hold Jenkins administrative credentials or can manipulate LDAP referral destinations. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.
Technical ContextAI
The Jenkins LDAP Plugin provides LDAP-based authentication integration for Jenkins CI/CD servers. LDAP referrals are a protocol-level mechanism allowing one directory server to redirect a client query to another LDAP server - the plugin follows these referrals and deserializes the returned data without validation. CWE-502 (Deserialization of Untrusted Data) is the root cause class: in Java deserialization attacks, an attacker crafts a malicious serialized object payload that, upon deserialization, traverses a 'gadget chain' of existing library methods on the classpath to achieve arbitrary code execution. The severity of this class of vulnerability depends heavily on the gadget chains available in the target JVM classpath, which varies by Jenkins installation. Affected versions span all releases from 0 through 807.v7d7de30930cf, as confirmed by EUVD-2026-32508.
RemediationAI
Administrators should immediately consult the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3654 and upgrade to the patched version of the LDAP Plugin; the specific fixed version number is referenced in that advisory but was not independently confirmed in the available input data - do not assume a version number beyond what the advisory specifies. As an immediate compensating control, disabling LDAP referral following in the plugin's connection settings eliminates the vulnerable code path entirely; this setting is typically non-default and disabling it has minimal operational impact in most deployments, though environments relying on multi-domain LDAP referral chaining should test before applying. Reducing the number of accounts with Jenkins administrative privileges (PR:H) limits the pool of potential attackers who could manipulate LDAP configuration. Auditing LDAP server infrastructure to ensure referral targets cannot be externally manipulated or spoofed further constrains the attack surface.
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32508
GHSA-x9v8-p946-5pwc