Skip to main content

Jenkins Active Directory Plugin EUVDEUVD-2026-38768

| CVE-2026-57288 LOW
LDAP Injection (CWE-90)
2026-06-24 jenkins GHSA-gx55-p8g7-p3fh
3.7
CVSS 3.1 · Vendor: jenkins

Severity by source

Vendor (jenkins) PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
3.7 LOW

Network-accessible login endpoint with no auth needed, but AC:H due to required ADSI configuration and wildcard precision; only limited directory enumeration for confidentiality, no integrity or availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (jenkins).

CVSS VectorVendor: jenkins

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 24, 2026 - 16:22 vuln.today
CVSS changed
Jun 24, 2026 - 15:22 NVD
3.7 (None) 3.7 (LOW)
CVE Published
Jun 24, 2026 - 13:20 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 24, 2026 - 13:20 cve.org
LOW 3.7

DescriptionCVE.org

Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name.

AnalysisAI

LDAP injection in Jenkins Active Directory Plugin 2.41.1 and earlier allows unauthenticated remote attackers to enumerate Active Directory entries and authenticate as any directory user they can identify via wildcard matching, provided they already know that user's password. The vulnerability is confined to the Windows native ADSI authentication path, limiting exposure to Jenkins instances running on Windows with ADSI configured. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Windows Jenkins with ADSI auth
Delivery
Submit wildcard username in login request
Exploit
Unescaped input alters LDAP filter semantics
Execution
Enumerate matching Active Directory entries
Persist
Submit wildcard with known password
Impact
Authenticate as matched user

Vulnerability AssessmentAI

Exploitation Exploitation requires that the Jenkins Active Directory Plugin be explicitly configured to use the Windows native (ADSI) authentication path - this is not the default mode and applies only to Windows-hosted Jenkins deployments integrated with Active Directory via ADSI. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 3.7 (Low) is grounded in AC:H and C:L, reflecting meaningful real-world constraints: exploitation requires that Jenkins be deployed on Windows with the native ADSI path configured (non-default) and that attackers craft LDAP wildcard expressions with sufficient precision to resolve desired targets. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker targeting a Windows-hosted Jenkins instance submits login requests with usernames containing LDAP wildcards (e.g., `jsmith*` or `admin*`), causing the ADSI filter to match multiple directory entries and return account existence information, enabling username enumeration. Once a target account is identified, the attacker submits the wildcard pattern as the username alongside the target's known password, authenticating successfully without knowing the exact account name. …
Remediation Upgrade the Jenkins Active Directory Plugin to a version later than 2.41.1, as directed by the vendor advisory at https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3651 - the exact fixed release version should be confirmed there, as it was not explicitly stated in the available intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in LDAP

View all
CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2017-14596 CRITICAL POC
9.8 Sep 20

In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,

CVE-2017-8790 CRITICAL POC
9.8 May 05

An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2023-28853 MEDIUM POC
6.5 Apr 04

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2020-36966 MEDIUM POC
6.4 Jan 30

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at

CVE-2025-36556 MEDIUM POC
6.1 Jan 20

A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6

CVE-2026-23906 CRITICAL
9.8 Feb 10

Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p

CVE-2026-44930 CRITICAL
9.8 May 22

Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)

CVE-2024-33868 CRITICAL
9.8 May 14

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-6905 CRITICAL
9.8 Dec 18

A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i

CVE-2021-43350 CRITICAL
9.8 Nov 11

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P

CVE-2026-21880 MEDIUM POC
5.3 Jan 08

Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au

Share

EUVD-2026-38768 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy