Jenkins Security Advisory: Multiple Plugins RCE, Deserialization, SSRF, and File Read Vulnerabilities

Jenkins Security Advisory 2026-05-27 Vulnerability Overview 1. RCE via Unverified LDAP Redirect in LDAP Plugin - CVE: CVE-2026-48916 (SSRF), CVE-2026-48917 (Deserialization) - Severity: Medium - Affected Plugin: LDAP Plugin - Description: LDAP Plugin versions 807.v7d7de30930cf and earlier follow LDAP redirects configured on the LDAP server. These redirects can be forwarded to RMI URLs, causing Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution (RCE) on the Jenkins controller. 2. RCE via Unverified LDAP Redirect in Active Directory Plugin - CVE: CVE-2026-48918 (SSRF), CVE-2026-48919 (Deserialization) - Severity: Medium - Affected Plugin: Active Directory Plugin - Description: Active Directory Plugin versions 2.41 and earlier follow LDAP redirects configured on the Active Directory server by default. These redirects can be forwarded to RMI URLs, causing Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution (RCE) on the Jenkins controller. 3. Arbitrary File Read in Email Extension Plugin - CVE: CVE-2026-48920 - Severity: High - Affected Plugin: Email Extension Plugin - Description: Email Extension Plugin versions 1933.v45cec755423f and earlier contain a feature allowing inline images by setting the attribute. There are no restrictions on the image URLs that can be inlined. 4. Arbitrary File Read via Symlink in Pipeline: Groovy Libraries Plugin - CVE: CVE-2026-48921 - Severity: High - Affected Plugin: Pipeline: Groovy Libraries Plugin - Description: Pipeline: Groovy Libraries Plugin versions 797.v90ea_a_9b_e45a_0 and earlier do not prohibit symlinks within shared libraries. 5. Path Traversal in Credentials Binding Plugin - CVE: CVE-2026-48922 - Severity: High - Affected Plugin: Credentials Binding Plugin - Description: Credentials Binding Plugin versions 720.v3f6decef43ea_ and earlier do not properly sanitize file names for file and zip file credentials. 6. Missing Permission Check Leading to Request Sending in AppSpider Plugin - CVE: CVE-2026-48923 - Severity: Medium - Affected Plugin: jenkinsci-appspider-plugin - Description: AppSpider Plugin versions 1.0.17 and earlier do not perform permission checks in the method used for form validation. 7. Open Redirect in Bitbucket OAuth Plugin - CVE: CVE-2026-48924 - Severity: Medium - Affected Plugin: bitbucket-oauth - Description: Bitbucket OAuth Plugin versions 0.17 and earlier do not restrict redirect URLs after login. 8. CSRF in GitHub Integration Plugin - CVE: CVE-2026-48925 - Severity: Medium - Affected Plugin: github-pullrequest - Description: GitHub Integration Plugin versions 0.7.3 and earlier do not require POST requests for HTTP endpoints, leading to a Cross-Site Request Forgery (CSRF) vulnerability. 9. CSRF Allowing Build Resume in Multijob Plugin - CVE: CVE-2026-9674 - Severity: Medium - Affected Plugin: jenkins-multijob-plugin - Description: Multijob Plugin versions 662.vd2e0001fb_b_d and earlier do not require POST requests for HTTP endpoints, leading to a Cross-Site Request Forgery (CSRF) vulnerability. 10. Missing Permission Check Leading to Credential ID Enumeration in Job Import Plugin - CVE: CVE-2026-48926 - Severity: Medium - Affected Plugin: job-import-plugin - Description: Job Import Plugin versions 143.v044a_2e819b_27 and earlier do not perform permission checks on HTTP endpoints. 11. Stored XSS in buildgraph-view Plugin - CVE: CVE-2026-48927 - Severity: High - Affected Plugin: buildgraph-view - Description: buildgraph-view Plugin versions 1.8 and earlier do not escape build URLs, leading to Stored Cross-Site Scripting (XSS) vulnerabilities. Affected Versions Active Directory Plugin: 2.41 and earlier AppSpider Plugin: 1.0.17 and earlier Bitbucket OAuth Plugin: 0.17 and earlier buildgraph-view Plugin: 1.8 and earlier Credentials Binding Plugin: 720.v3f6decef43ea_ and earlier Email Extension Plugin: 1933.v45cec755423f and earlier GitHub Integration Plugin: 0.7.3 and earlier Job Import Plugin: 143.v044a_2e819b_27 and earlier LDAP Plugin: 807.v7d7de30930cf and earlier Multijob Plugin: 662.vd2e0001fb_b_d and earlier Pipeline: Groovy Libraries Plugin: 797.v90ea_a_9b_e45a_0 and earlier Remediation Active Directory Plugin: Upgrade to 2.41.1 AppSpider Plugin: Upgrade to 1.0.18 Bitbucket OAuth Plugin: Upgrade to 0.18 Credentials Binding Plugin: Upgrade to 725.v52b_2328a_fde Email Extension Plugin: Upgrade to 1933.v45cec755423f GitHub Integration Plugin: Upgrade to 0.7.4 Job Import Plugin: Upgrade to 143.145.v48f9a_a_6ff384 LDAP Plugin: Upgrade to 807.809.vd3a_4e5e4ec98 Multijob Plugin: Upgrade to 669.v9d96a_9c71b_0 Pipeline: Groovy Libraries Plugin: Upgrade to 798.v5cc688825312 Additional Information Credit: The Jenkins Project thanks the following individuals for discovering and reporting these vulnerabilities: - Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel, Adiel Sol from DREAM for SECURITY-3654 - Mitchell Benjamin, Revamp Studio, and, independently, Qianheng Wang for SECU

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: Multiple Plugins RCE, Deserialization, SSRF, and File Read Vulnerabilities