Jenkins Security Advisory 2026-06-24

Script Security Plugin provides a sandbox feature that allows running user-provided scripts safely by intercepting and checking potentially unsafe operations.

Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type cast applied to each element of the iterated collection in a typed for loop (e.g. for (Type t in collection)), as this cast is performed during bytecode generation rather than in the transformed script AST.

This allows attackers able to provide sandboxed scripts to invoke constructors of arbitrary types without those invocations being checked by the sandbox, bypassing the sandbox protection. This can be used to execute arbitrary code on the Jenkins controller.

Script Security Plugin 1402.1405.vc96e74964250 updates the bundled groovy-sandbox library to a version that intercepts the implicit type cast applied to typed for loop elements, so those casts are checked by the sandbox.

Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations such as @CompileStatic and @TypeChecked that carry an extensions member, which causes Groovy to load and execute a script from the classpath at compile time, before the sandbox is applied.

This may allow attackers able to define and run sandboxed scripts to execute code outside the sandbox, in the rare case that a suitable Groovy script is present on the classpath of the component that evaluates the script.

Script Security Plugin 1402.1405.vc96e74964250 rejects any annotation carrying an extensions member during sandbox compilation, before Groovy can resolve or execute the referenced script.

Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into the SSH wrapper script generated by the "Manually provided keys" Git Host Key Verification strategy on Unix agents.

This allows attackers able to control the name of a build’s working directory (e.g. through a build parameter that determines the workspace directory) to inject shell command substitution and execute arbitrary commands on the agent.

Git client Plugin 6.6.1 stores the known_hosts file used by the "Manually provided keys" Git Host Key Verification strategy in the system temporary directory, so the workspace directory name is no longer embedded in the path passed to the generated SSH wrapper script.

Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, instantiating any type with a constructor annotated with @DataBoundConstructor in response to a request.

This allows attackers to have Pipeline: Groovy Plugin instantiate types related to job or system configuration other than Pipeline steps.

Additionally, this HTTP endpoint can be accessed using the GET method and does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. This allows attackers to create a script approval request attributed to another user, impersonating a trusted user when social engineering an administrator into approving a malicious script.

Pipeline: Groovy Plugin 4331.4333.v50a_b_076c5199 only instantiates Pipeline steps and metastep delegates through the Snippet Generator, and requires POST requests for the affected HTTP endpoint.

GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier does not perform a permission check in an HTTP endpoint that lists the GitHub API endpoints configured in the global plugin configuration.

This allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured by administrators.

GitHub Branch Source Plugin 1967.1970.vd86979736546 requires Overall/Manage permission or Item/Extended Read permission on an item to list the configured GitHub API endpoints.

Git Parameter Plugin 462.vdcf3df2ed2ca_ and earlier does not perform a permission check in an HTTP endpoint that populates the list of values for Git parameters by querying the SCM configured on a job, using the SCM credentials configured in Jenkins.

This allows attackers with Item/Read permission to obtain information about the SCM repository used by a job they would otherwise be unable to access, such as branch names, tag names, and revision metadata.

Git Parameter Plugin 462.463.v496a_59f698e5 requires Item/Build permission to populate the list of values for Git parameters.

Job Configuration History Plugin 1356.ve360da_6c523a_ and earlier does not redact the encrypted values of secrets when displaying historical job and agent configurations through its "View as XML" / "(RAW)" feature and its configuration diff views.

This allows attackers with Item/Extended Read permission (but not Item/Configure permission) to view the encrypted values of secrets, such as build trigger tokens, that Jenkins would otherwise redact from the configuration shown to them.

Job Configuration History Plugin 1367.vc8fa_b_15101dc redacts the encrypted values of secrets when displaying historical job and agent configurations through its "View as XML" / "(RAW)" feature and its configuration diff views to users lacking Item/Configure permission.

In Active Directory Plugin 2.41.1 and earlier, the Windows native (ADSI) authentication path does not escape the user name before building the LDAP search filter.

This allows unauthenticated attackers to inject LDAP wildcard characters into the user name, enabling them to enumerate directory user and group names, and to authenticate as a matching user when they know that user’s password but not their exact user name.

Active Directory Plugin 2.41.2 escapes the user name in the Windows native (ADSI) authentication path before building the LDAP search filter.

MCP Server Plugin 0.177.v629fdb_2557fe and earlier does not perform a permission check in the getReplayScripts MCP tool that returns the replay script of a Pipeline build.

This allows attackers with Item/Read permission to obtain the Pipeline script of jobs.

MCP Server Plugin 0.178.vffe5a_e770f3b_ requires Item/Extended Read permission to return the replay script of a Pipeline build through the getReplayScripts MCP tool.

Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for the connections it makes to Bitbucket Server using Bearer token authentication.

Because the Bearer token is transmitted in these requests, this allows attackers able to intercept network traffic to capture the token and impersonate the Jenkins controller to Bitbucket Server.

Bitbucket Push and Pull Request Plugin 3.3.9 validates SSL/TLS certificates and hostnames for the connections it makes to Bitbucket Server using Bearer token authentication, using the trust store configured for the Jenkins controller JVM.

Priority Sorter Plugin 936.v2c01c6b_84449 and earlier does not require POST requests in an HTTP endpoint that saves the global job priority configuration.

This allows attackers to overwrite the global job priority configuration.

Priority Sorter Plugin 936.937.v5581d0b_2ccb_a_ requires POST requests for the affected HTTP endpoint.

Gitee Plugin 1288.v18b_deb_c9069b_ and earlier does not perform permission checks in several HTTP endpoints implementing form validation for its global configuration.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Gitee Plugin 1292.v2559f2f3f2c0 requires the appropriate permissions in the affected HTTP endpoints, and requires POST requests.

Gitee Plugin 1288.v18b_deb_c9069b_ and earlier does not correctly perform a permission check in an HTTP endpoint.

This allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Gitee Plugin 1292.v2559f2f3f2c0 requires Overall/Administer permission.

EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier does not perform permission checks in several HTTP endpoints used to validate cloud configurations.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

EC2 Fleet Plugin 4.2.3.540.va_6eedb_7b_c112 requires Overall/Administer permission and POST requests to perform these form validation actions.

External Workspace Manager Plugin 1.3.2 and earlier does not reject .. path segments when validating the custom workspace path provided to the exwsAllocate Pipeline step, allowing the resulting workspace path to escape the configured disk mount point.

This allows attackers with Item/Configure permission to read arbitrary files on the Jenkins controller file system, which can lead to remote code execution (see Reading Files).

External Workspace Manager Plugin 1.4.0 rejects .. path segments when validating the custom workspace path, and additionally verifies that the requested path is contained within the configured disk mount point before serving it through the external workspace browse functionality.

Contrast Continuous Application Security Plugin 3.11 and earlier does not perform a permission check in an HTTP endpoint that tests the connection to a Contrast TeamServer.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Contrast Continuous Application Security Plugin 3.12 requires Overall/Administer permission and POST requests to test the connection to a Contrast TeamServer.

Contrast Continuous Application Security Plugin 3.11 and earlier does not perform permission checks in several HTTP endpoints that fill list box options with the names of the configured Contrast metadata.

This allows attackers with Overall/Read permission to enumerate the names of configured Contrast metadata.

Contrast Continuous Application Security Plugin 3.12 requires the appropriate permission to enumerate the configured Contrast metadata.

OWASP ZAP Plugin 1.0.7 and earlier does not support distributed builds, causing the file operations and build process of its "Automatically build ZAP" feature to be performed on the Jenkins controller rather than on the agent the build is assigned to.

This allows attackers with Item/Configure permission to configure the feature to build an attacker-controlled project, executing arbitrary code on the Jenkins controller and bypassing any restriction confining the build to a specific agent.

As of publication of this advisory, there is no fix. Learn why we announce this.

FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

Assembla Plugin 1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks when parsing responses from the configured Assembla server.

This allows attackers able to control the responses of the configured Assembla server to extract secrets from the Jenkins controller or perform server-side request forgery.

As of publication of this advisory, there is no fix. Learn why we announce this.

Assembla Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint that tests the connection to an Assembla server.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.