Skip to main content

Jenkins LDAP Plugin EUVDEUVD-2026-32508

| CVE-2026-48917 MEDIUM
Deserialization of Untrusted Data (CWE-502)
2026-05-27 jenkinsci-cert@googlegroups.com GHSA-x9v8-p946-5pwc
6.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.6 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:15 vuln.today

DescriptionCVE.org

Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation.

AnalysisAI

Jenkins LDAP Plugin versions up to and including 807.v7d7de30930cf deserializes Java objects returned via LDAP referral responses without any validation, exposing the underlying Jenkins instance to potential remote code execution via classic Java deserialization gadget chains. Exploitation is constrained by a high privilege requirement and high attack complexity (CVSS PR:H/AC:H), limiting realistic scenarios to attackers who already hold Jenkins administrative credentials or can manipulate LDAP referral destinations. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.

Technical ContextAI

The Jenkins LDAP Plugin provides LDAP-based authentication integration for Jenkins CI/CD servers. LDAP referrals are a protocol-level mechanism allowing one directory server to redirect a client query to another LDAP server - the plugin follows these referrals and deserializes the returned data without validation. CWE-502 (Deserialization of Untrusted Data) is the root cause class: in Java deserialization attacks, an attacker crafts a malicious serialized object payload that, upon deserialization, traverses a 'gadget chain' of existing library methods on the classpath to achieve arbitrary code execution. The severity of this class of vulnerability depends heavily on the gadget chains available in the target JVM classpath, which varies by Jenkins installation. Affected versions span all releases from 0 through 807.v7d7de30930cf, as confirmed by EUVD-2026-32508.

RemediationAI

Administrators should immediately consult the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3654 and upgrade to the patched version of the LDAP Plugin; the specific fixed version number is referenced in that advisory but was not independently confirmed in the available input data - do not assume a version number beyond what the advisory specifies. As an immediate compensating control, disabling LDAP referral following in the plugin's connection settings eliminates the vulnerable code path entirely; this setting is typically non-default and disabling it has minimal operational impact in most deployments, though environments relying on multi-domain LDAP referral chaining should test before applying. Reducing the number of accounts with Jenkins administrative privileges (PR:H) limits the pool of potential attackers who could manipulate LDAP configuration. Auditing LDAP server infrastructure to ensure referral targets cannot be externally manipulated or spoofed further constrains the attack surface.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2016-0792 HIGH POC
8.8 Apr 07

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex

CVE-2015-5317 HIGH
7.5 Nov 25

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j

CVE-2016-0788 CRITICAL
9.8 Apr 07

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003005 HIGH POC
8.8 Feb 06

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2019-1003030 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/

Share

EUVD-2026-32508 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy