Jenkins Addresses High-Severity Path Traversal and XSS Vulnerabilities in Key Plugins
The Jenkins Project has issued an urgent security advisory detailing seven distinct vulnerabilities spanning several widely adopted plugins. These flaws range from high-severity path traversal to stored Cross-Site Scripting (XSS), presenting significant risks that include unauthorized code execution and session hijacking within the CI/CD pipeline.
Transparency remains a cornerstone of the Jenkins ecosystem; these vulnerabilities were identified and responsibly disclosed through the Jenkins Bug Bounty Program, a security initiative supported by the European Commission. Because these flaws directly impact the integrity of the automation process, system administrators are urged to prioritize immediate patching.
Deep Dive: CVE-2026-42520 Path Traversal in Credentials Binding
The most pressing threat identified in this advisory is a high-severity path traversal vulnerability, tracked as CVE-2026-42520. This flaw resides within the Credentials Binding Plugin (versions up to and including 719.v80e905ef14eb_).
At a technical level, the issue stems from a lack of rigorous sanitization regarding filenames used for file and ZIP-based credentials. An attacker capable of providing credentials to a specific job can manipulate the file paths to write arbitrary files to unauthorized locations on the Jenkins node’s local filesystem. In environments where low-privileged users are permitted to configure job credentials on the built-in controller node, this path traversal can be leveraged to escalate privileges and achieve full Remote Code Execution (RCE).
Resolution: This has been neutralized in version 720.v3f6decef43ea_ by implementing strict filename sanitization protocols.
Stored XSS Vulnerabilities: GitHub and HTML Publisher Plugins
Beyond the file system risks, the advisory highlights two high-severity Stored XSS vulnerabilities that could allow attackers to execute malicious scripts in the context of a user’s browser session.
- GitHub Plugin (CVE-2026-42523): Affecting versions 1.46.0 and earlier, this flaw involves improper validation of the current job URL during JavaScript processing for the “GitHub hook trigger for GITScm polling” feature. An attacker with Overall/Read permissions can inject scripts that will execute when other users view the job. This is resolved in version 1.46.0.1.
- HTML Publisher Plugin (CVE-2026-42524): Versions 427 and earlier fail to adequately escape job names and URLs within legacy wrapper files. Users with Item/Configure permissions can exploit this to launch XSS attacks. While version 427.1 provides a fix for new wrappers, organizations relying on strict Content Security Policy (CSP) configurations may already have a layer of inherent mitigation.
Analysis of Medium-Severity Flaws
The update also addresses four medium-severity issues that, while less direct than RCE, could be used as stepping stones in a sophisticated multi-stage attack:
- Script Security Plugin (CVE-2026-42519): A missing permission check on an HTTP endpoint allows users with Overall/Read access to improperly enumerate approved and pending classpaths, leading to potential information disclosure.
- Matrix Authorization Strategy Plugin (CVE-2026-42521): This involves an unsafe deserialization bug. Attackers with Item/Configure permission could instantiate arbitrary types via parameterless constructors, potentially facilitating unauthorized data access.
- GitHub Branch Source Plugin (CVE-2026-42522): A missing permission check allows attackers to conduct connection tests using credentials of their choice, potentially leaking information about GitHub App configurations.
- Microsoft Entra ID Plugin (CVE-2026-42525): An open redirect flaw could be weaponized for phishing, redirecting authenticated users to a malicious external domain immediately after a successful login.
Quick Reference: Vulnerability & Patch Matrix
To streamline your remediation efforts, please refer to the table below:
| Plugin Name | Vulnerability Type | Affected Versions | Required Patch |
|---|---|---|---|
| Credentials Binding | Path Traversal (High) | ≤ 719.v80e905ef14eb_ | 720.v3f6decef43ea_ |
| GitHub | Stored XSS (High) | ≤ 1.46.0 | 1.46.0.1 |
| HTML Publisher | Stored XSS (High) | ≤ 427 | 427.1 |
| Script Security | Information Disclosure | ≤ 1399.ve6a_66547f6e1 | 1402.v94c9ce464861 |
| Matrix Authorization | Unsafe Deserialization | ≤ 3.2.9 | 3.2.10 |
| GitHub Branch Source | Permission Bypass | ≤ 1967.vdea_d580c1a_b_a_ | 1967.1969.v205fd594c821 |
| Microsoft Entra ID | Open Redirect | ≤ 666.v6060de32f87d | 667.v4c5827a_e74a_0 |
Immediate Action Required: Organizations should prioritize the Credentials Binding, GitHub, and HTML Publisher plugins due to their high impact. All updates can be deployed directly via the Jenkins Update Center. If you are unable to patch immediately, consider tightening your Content Security Policy and restricting user permissions to the minimum required for their roles.