Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from Vendor (jenkins).
CVSS VectorVendor: jenkins
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.
AnalysisAI
Unencrypted secret storage in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) exposes credentials submitted via POST config.xml to any user holding Item/Extended Read permission or with read access to the Jenkins controller filesystem. Secrets that should be encrypted at rest are written as plaintext into job config.xml files, making them directly readable through Jenkins' built-in permission model or OS-level file access. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, but the privileged insider and lateral-movement risk is significant for organizations embedding CI/CD credentials in job configurations.
Technical ContextAI
Jenkins stores job configurations as XML files (config.xml) on the controller filesystem under the Jenkins home directory. When jobs contain secret fields - such as passwords, API tokens, or injected credentials - these values are normally encrypted before being written to disk using Jenkins' internal secret store. CWE-311 (Missing Encryption of Sensitive Data) describes the root cause: the controller does not apply encryption to secrets submitted via HTTP POST to the config.xml endpoint before persisting them, leaving plaintext credential values in the job's config.xml file. The CPE cpe:2.3:a:jenkins_project:jenkins:*:*:*:*:*:*:*:* covers all Jenkins Project distributions up to the patched releases. Any user or process able to read these files - via the Jenkins API under Item/Extended Read or via direct filesystem access - can extract the plaintext secrets.
RemediationAI
Upgrade to Jenkins 2.568 or later for weekly release users, or Jenkins LTS 2.555.3 or later for LTS users, per the vendor advisory at https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3744 and ENISA EUVD-2026-36026. These are the vendor-confirmed patched versions. If immediate upgrade is not feasible, restrict Item/Extended Read permissions in the Jenkins authorization matrix to only highly trusted operators, since this permission is the primary read path for job config.xml files - note that tightening this permission may break legitimate read-only access workflows that depend on it. Additionally, audit the Jenkins controller filesystem (typically $JENKINS_HOME/jobs/*/config.xml) for plaintext secrets in existing job configurations, and rotate any credentials found exposed, since files written before patching will remain unencrypted on disk even after upgrading. Limit OS-level read access to the Jenkins home directory to the jenkins service account to reduce filesystem exposure as a compensating control.
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex
The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/
Same weakness CWE-311 – Missing Encryption of Sensitive Data
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36026
GHSA-m6wv-wh8g-64xc