Skip to main content

Jenkins Multijob Plugin EUVDEUVD-2026-32519

| CVE-2026-9674 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-27 jenkinsci-cert@googlegroups.com GHSA-hj3h-r49w-34wh
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:09 vuln.today

DescriptionCVE.org

A cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds.

AnalysisAI

Cross-site request forgery in Jenkins Multijob Plugin versions up to and including 662.vd2e0001f6b_b_d enables unauthenticated remote attackers to resume failed Multijob builds by tricking an authenticated Jenkins user into issuing a forged request. The CVSS vector (PR:N/UI:R) confirms no attacker privileges are required, but victim interaction is mandatory, limiting scalability. No public exploit code and no active exploitation have been identified at time of analysis; SSVC independently corroborates Exploitation: none.

Technical ContextAI

Jenkins Multijob Plugin extends the Jenkins CI/CD automation server to support complex multi-phase, multi-job build pipelines. CWE-352 (Cross-Site Request Forgery) describes a class of web vulnerabilities where a server-side action endpoint fails to validate that an incoming request was intentionally initiated by the authenticated user - typically by omitting or not checking a synchronizer token (known in Jenkins as a 'crumb'). In this case, the plugin's build-resume endpoint lacks proper CSRF protection, meaning a forged cross-origin HTTP request carrying the victim's valid session cookie is indistinguishable from a legitimate one. Affected versions span all releases up to 662.vd2e0001f6b_b_d as confirmed by EUVD-2026-32519 and the Jenkins security advisory SECURITY-3781 published 2026-05-27.

RemediationAI

Update Jenkins Multijob Plugin to the version released after 662.vd2e0001f6b_b_d as directed by the vendor advisory at https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3781. The exact patched release version is not independently confirmed from available input data - consult the Jenkins Update Center and the advisory directly for the current fixed version number before upgrading. As a compensating control where immediate patching is not feasible, restrict network access to the Jenkins instance so that only trusted internal hosts can reach build-action endpoints, reducing the attacker's ability to deliver a forged request via an external malicious page. Additionally, enforcing strict Content Security Policy headers and ensuring Jenkins CSRF protection (crumbs) is globally enabled in Jenkins system configuration can reduce residual risk. Note that network-level restrictions may impact external CI/CD integrations.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2016-0792 HIGH POC
8.8 Apr 07

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex

CVE-2015-5317 HIGH
7.5 Nov 25

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j

CVE-2016-0788 CRITICAL
9.8 Apr 07

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003005 HIGH POC
8.8 Feb 06

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2019-1003030 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/

Share

EUVD-2026-32519 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy