Jenkins Multiple Plugins Security Bulletin: LDAP Redirect RCE, File Read, XSS, CSRF

Jenkins Security Advisory 2026-05-27 Vulnerability Overview This advisory announces vulnerabilities in the following Jenkins deliverables: Active Directory Plugin AppSpider Plugin Bitbucket OAuth Plugin buildgraph-view Plugin Credentials Binding Plugin Email Extension Plugin GitHub Integration Plugin Job Import Plugin LDAP Plugin Multijob Plugin Pipeline: Groovy Libraries Plugin Affected Versions LDAP Plugin: 807.v7d7de30930cf and earlier Active Directory Plugin: 2.41 and earlier Email Extension Plugin: 1933.v45cec755423f and earlier Pipeline: Groovy Libraries Plugin: 797.v90ea_a_9b_e45a_0 and earlier Credentials Binding Plugin: 720.v3f6decef43ea_ and earlier AppSpider Plugin: 1.0.17 and earlier Bitbucket OAuth Plugin: 0.17 and earlier GitHub Integration Plugin: 0.7.3 and earlier Multijob Plugin: 662.vd2e0001fb_b_d and earlier Job Import Plugin: 143.v044a_2e819b_27 and earlier buildgraph-view Plugin: 1.8 and earlier Remediation LDAP Plugin: Upgrade to 807.809.vd3a_4e5e4ec98 Active Directory Plugin: Upgrade to 2.41.1 Email Extension Plugin: Upgrade to 1933.1935.v276319e3cc47 Pipeline: Groovy Libraries Plugin: Upgrade to 798.v5cc688825312 Credentials Binding Plugin: Upgrade to 725.ve52b_2328a_fde AppSpider Plugin: Upgrade to 1.0.18 Bitbucket OAuth Plugin: Upgrade to 0.18 GitHub Integration Plugin: Upgrade to 0.7.4 Multijob Plugin: Upgrade to 669.v9d96a_9c71b_0 Job Import Plugin: Upgrade to 143.145.v48f9a_a_6ff384 buildgraph-view Plugin: No patched version available Vulnerability Details 1. LDAP Plugin: Unverified LDAP redirection leading to Remote Code Execution (RCE) 2. Active Directory Plugin: Unverified LDAP redirection leading to Remote Code Execution (RCE) 3. Email Extension Plugin: Arbitrary file read vulnerability 4. Pipeline: Groovy Libraries Plugin: Arbitrary file read via symlinks 5. Credentials Binding Plugin: Path traversal vulnerability 6. AppSpider Plugin: Missing authorization check allowing request sending 7. Bitbucket OAuth Plugin: Open redirect vulnerability 8. GitHub Integration Plugin: Cross-Site Request Forgery (CSRF) vulnerability 9. Multijob Plugin: Cross-Site Request Forgery (CSRF) vulnerability 10. Job Import Plugin: Missing authorization check leading to enumeration of credential IDs 11. buildgraph-view Plugin: Stored Cross-Site Scripting (XSS) vulnerability Remediation Advice Upgrade to the specified versions listed above to fix the vulnerabilities. For situations where immediate upgrade is not possible, refer to the temporary mitigation measures provided in the advisory. Credits Thanks to the following individuals for discovering and reporting these vulnerabilities: Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel, Adiel Sol Mitchell Benjamin, Revamp Studio, Qianheng Wang Olawale Titloye, Samy Medjahed, Eliott Laurie Tommaso Gregori, Yaroslav Afenkin, dylingman1 Additional Information Vulnerability Severity: Ranges from Medium to High Vulnerability IDs: SECURITY-3654 through SECURITY-3790 --- Note: This advisory does not include specific POC code or exploit code.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Multiple Plugins Security Bulletin: LDAP Redirect RCE, File Read, XSS, CSRF