Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds.
AnalysisAI
Cross-site request forgery in Jenkins Multijob Plugin versions up to and including 662.vd2e0001f6b_b_d enables unauthenticated remote attackers to resume failed Multijob builds by tricking an authenticated Jenkins user into issuing a forged request. The CVSS vector (PR:N/UI:R) confirms no attacker privileges are required, but victim interaction is mandatory, limiting scalability. No public exploit code and no active exploitation have been identified at time of analysis; SSVC independently corroborates Exploitation: none.
Technical ContextAI
Jenkins Multijob Plugin extends the Jenkins CI/CD automation server to support complex multi-phase, multi-job build pipelines. CWE-352 (Cross-Site Request Forgery) describes a class of web vulnerabilities where a server-side action endpoint fails to validate that an incoming request was intentionally initiated by the authenticated user - typically by omitting or not checking a synchronizer token (known in Jenkins as a 'crumb'). In this case, the plugin's build-resume endpoint lacks proper CSRF protection, meaning a forged cross-origin HTTP request carrying the victim's valid session cookie is indistinguishable from a legitimate one. Affected versions span all releases up to 662.vd2e0001f6b_b_d as confirmed by EUVD-2026-32519 and the Jenkins security advisory SECURITY-3781 published 2026-05-27.
RemediationAI
Update Jenkins Multijob Plugin to the version released after 662.vd2e0001f6b_b_d as directed by the vendor advisory at https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3781. The exact patched release version is not independently confirmed from available input data - consult the Jenkins Update Center and the advisory directly for the current fixed version number before upgrading. As a compensating control where immediate patching is not feasible, restrict network access to the Jenkins instance so that only trusted internal hosts can reach build-action endpoints, reducing the attacker's ability to deliver a forged request via an external malicious page. Additionally, enforcing strict Content Security Policy headers and ensuring Jenkins CSRF protection (crumbs) is globally enabled in Jenkins system configuration can reduce residual risk. Note that network-level restrictions may impact external CI/CD integrations.
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32519
GHSA-hj3h-r49w-34wh