Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation.
AnalysisAI
Unsafe deserialization in Jenkins Active Directory Plugin 2.41 and earlier allows a remote attacker holding administrative credentials to achieve full system compromise by manipulating the LDAP referral processing path. The plugin deserializes data received from LDAP referrals without validation (CWE-502), which can enable arbitrary code execution on the Jenkins controller. No public exploit exists at time of analysis, and CISA SSVC assesses this as not automatable, though technical impact is rated total - making it a targeted rather than opportunistic threat.
Technical ContextAI
Jenkins Active Directory Plugin integrates Jenkins with Microsoft Active Directory authentication via LDAP. LDAP referrals are standard protocol responses where one directory server redirects a client to query another - a feature this plugin follows automatically during authentication lookups. The root cause is CWE-502 (Deserialization of Untrusted Data): when the plugin receives and processes data from a referred LDAP server, it deserializes the content without any integrity or class validation. This is a well-understood Java attack primitive - a crafted serialized object payload embedded in the referral response can trigger gadget chains leading to arbitrary code execution. The affected CPE scope covers Jenkins Active Directory Plugin from version 0 through 2.41 inclusive, as confirmed by EUVD-2026-32510.
RemediationAI
The primary remediation is to upgrade Jenkins Active Directory Plugin to a version beyond 2.41 as directed by the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3659. The exact patched release version number is not independently confirmed from the provided input data and must be obtained directly from that advisory. As a compensating control where immediate patching is not feasible, administrators can disable LDAP referral following in the Active Directory plugin configuration, preventing the plugin from processing data from referred LDAP servers entirely; note this may break cross-domain or multi-forest Active Directory authentication. Strictly enforcing the principle of least privilege for Jenkins administrative accounts reduces the attack surface, since PR:H is a hard prerequisite for exploitation. Network-level egress filtering restricting outbound LDAP connections from the Jenkins host to only known, trusted domain controllers limits exposure to attacker-controlled referral endpoints.
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32510
GHSA-p2gw-f3rv-82mw