Jenkins Security Advisory: RCE/LFI/CSRF in Multiple Plugins

Jenkins Security Advisory 2026-05-27 Vulnerability Overview This advisory announces vulnerabilities in the following Jenkins components: Active Directory Plugin AppSpider Plugin Bitbucket OAuth Plugin buildgraph-view Plugin Credentials Binding Plugin Email Extension Plugin GitHub Integration Plugin Job Import Plugin LDAP Plugin Multijob Plugin Pipeline: Groovy Libraries Plugin Impact Scope RCE vulnerability from unvalidated LDAP referrals in LDAP Plugin - Affected Plugin: ldap - Severity: Medium - Description: LDAP Plugin 807.v7d7de30930cf and earlier versions follow LDAP referrals from the configured LDAP server. These can be redirected to RMI URLs that lead to Jenkins deserialization of attacker-controlled data, resulting in Remote Code Execution (RCE) on the Jenkins controller. RCE vulnerability from unvalidated LDAP referrals in Active Directory Plugin - Affected Plugin: active-directory - Severity: Medium - Description: Active Directory Plugin 2.41 and earlier versions follow LDAP referrals from the configured Active Directory server by default. These can be redirected to RMI URLs that lead to Jenkins deserialization of attacker-controlled data, resulting in Remote Code Execution (RCE) on the Jenkins controller. Arbitrary file read vulnerability in Email Extension Plugin - Affected Plugin: email-ext - Severity: High - Description: Email Extension Plugin 1933.v45cec755423f and earlier versions include a attribute that allows inline images to be set as base64 in the email content. There are no restrictions on the image URLs that can be inlined. Arbitrary file read vulnerability through symbolic links in Pipeline: Groovy Libraries Plugin - Affected Plugin: pipeline-groovy-lib - Severity: High - Description: Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier versions do not prohibit symbolic links in shared libraries. Path traversal vulnerability in Credentials Binding Plugin - Affected Plugin: credentials-binding - Severity: High - Description: Credentials Binding Plugin 720.v3f6decef43ea_ and earlier versions do not properly sanitize filenames for file and zip credentials. Missing permission check in AppSpider Plugin allows sending requests - Affected Plugin: jenkinsci-appspider-plugin - Severity: Medium - Description: AppSpider Plugin 1.0.17 and earlier versions do not perform a permission check in the method implementing form validation. Open redirect vulnerability in Bitbucket OAuth Plugin - Affected Plugin: bitbucket-oauth - Severity: Medium - Description: Bitbucket OAuth Plugin 0.17 and earlier versions do not restrict the redirect URL after login. CSRF vulnerability in GitHub Integration Plugin - Affected Plugin: github-pullrequest - Severity: Medium - Description: GitHub Integration Plugin 0.7.3 and earlier versions do not require a POST request for the HTTP endpoint, leading to a Cross-Site Request Forgery (CSRF) vulnerability. CSRF vulnerability in Multijob Plugin allows resuming builds - Affected Plugin: jenkins-multijob-plugin - Severity: Medium - Description: Multijob Plugin 662.vd2e0001fb_b_d and earlier versions do not require a POST request for the HTTP endpoint, leading to a Cross-Site Request Forgery (CSRF) vulnerability. Missing permission check in Job Import Plugin allows enumerating credentials IDs - Affected Plugin: job-import-plugin - Severity: Medium - Description: Job Import Plugin 143.v044a_2e819b_27 and earlier versions do not perform a permission check in the HTTP endpoint. Stored XSS vulnerability in buildgraph-view Plugin - Affected Plugin: buildgraph-view - Severity: High - Description: buildgraph-view Plugin 1.8 and earlier versions do not escape build URLs. Remediation Active Directory Plugin should be updated to version 2.41.1 AppSpider Plugin should be updated to version 1.0.18 Bitbucket OAuth Plugin should be updated to version 0.18 Credentials Binding Plugin should be updated to version 725.ve52b_2328a_fde Email Extension Plugin should be updated to version 1933.v276319e3cc47 GitHub Integration Plugin should be updated to version 0.7.4 Job Import Plugin should be updated to version 143.145.v48f9a_a_6ff384 LDAP Plugin should be updated to version 807.809.vd3a_4e5e4ec98 Multijob Plugin should be updated to version 669.v9d96a_9c71b_0 Pipeline: Groovy Libraries Plugin should be updated to version 798.v5cc688825312 These versions include fixes for the above vulnerabilities. All previous versions are considered affected by these vulnerabilities unless otherwise noted. Credits The Jenkins project thanks the following reporters for discovering and reporting these vulnerabilities: Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel, Adiel Sol from DREAM for SECURITY-3654 Mitchell Benjamin, Revamp Studio, and, independently, Qianheng Wang for SECURITY-3790 Olawale Titloye, Samy Medjahed (Ap4sh) & Elliott Laurie (Ethiczcz); and, independently, Samy Medjahed (Ap4sh) & Elliott Laurie (Ethiczcz); and @surrealgrain on GitHub for SECURITY-3727 Tommaso Grego

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: RCE/LFI/CSRF in Multiple Plugins