Skip to main content

Jenkins AppSpider Plugin EUVDEUVD-2026-32514

| CVE-2026-48923 MEDIUM
Improper Privilege Management (CWE-269)
2026-05-27 jenkinsci-cert@googlegroups.com GHSA-9wm7-8qf3-9v98
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:13 vuln.today

DescriptionCVE.org

Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL.

AnalysisAI

Missing permission check in Jenkins AppSpider Plugin 1.0.17 and earlier allows any authenticated user with Overall/Read permission to force the Jenkins server to initiate connections to arbitrary attacker-specified URLs via a form validation endpoint. This constitutes a server-side request forgery (SSRF)-class primitive - an attacker can leverage this to probe internal network services, perform port scanning, or interact with internal infrastructure reachable by the Jenkins host. No public exploit has been identified at time of analysis, and CISA SSVC assessment confirms no active exploitation.

Technical ContextAI

The Jenkins AppSpider Plugin integrates Rapid7's AppSpider dynamic application security testing tool with Jenkins CI/CD pipelines. The vulnerability resides in a form validation handler - a Jenkins UI mechanism that validates configuration fields in real time via HTTP. CWE-269 (Improper Privilege Management) identifies the root cause: the validation method executes a privileged network operation (outbound HTTP connection) without verifying that the requesting user holds the necessary permissions (typically Overall/Administer or a dedicated credential permission). Because Jenkins form validation methods are accessible to any authenticated user at the Overall/Read level by default, the permission boundary is effectively bypassed. The CVSS vector AV:N/AC:L/PR:L/UI:N confirms the operation is remotely exploitable over the network with low-privilege credentials and no user interaction required. Affected versions are Jenkins AppSpider Plugin 0 through 1.0.17 inclusive, as documented by ENISA EUVD-2026-32514.

RemediationAI

The primary remediation is to upgrade the Jenkins AppSpider Plugin to a version released after 1.0.17, as the Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3671 documents this fix. Note: an exact fixed version number was not independently confirmed in the provided input data - consult the Jenkins Update Center or the linked advisory directly to identify the patched release before deploying. If an immediate upgrade is not possible, a compensating control is to restrict Overall/Read access to fully trusted users only, eliminating the low-privilege attacker prerequisite; this may affect other Jenkins functionality that relies on broad read access. Alternatively, network-level egress filtering on the Jenkins host can limit the usefulness of the SSRF primitive by blocking connections to internal network ranges, though this does not eliminate the underlying vulnerability and may impact legitimate AppSpider scanning workflows.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2016-0792 HIGH POC
8.8 Apr 07

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex

CVE-2015-5317 HIGH
7.5 Nov 25

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j

CVE-2016-0788 CRITICAL
9.8 Apr 07

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003005 HIGH POC
8.8 Feb 06

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2019-1003030 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/

Share

EUVD-2026-32514 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy