Jenkins Security Bulletin: Multiple Plugin Vulnerabilities including RCE, AFR, CSRF

Jenkins Security Advisory 2026-05-27 Vulnerability Summary Vulnerability Overview 1. RCE vulnerability due to unvalidated LDAP redirection in the LDAP Plugin - CVE: CVE-2026-48916 (SSRF), CVE-2026-48917 (Deserialization) - Severity: Medium - Affected Plugin: LDAP Plugin - Description: LDAP Plugin version 807.v7d7de30930cf and earlier follows LDAP redirections from the configured LDAP server, which can be redirected to RMI URLs. This allows Jenkins to deserialize attacker-controlled data, leading to Remote Code Execution (RCE) on the Jenkins controller. 2. RCE vulnerability due to unvalidated LDAP redirection in the Active Directory Plugin - CVE: CVE-2026-48918 (SSRF), CVE-2026-48919 (Deserialization) - Severity: Medium - Affected Plugin: Active Directory Plugin - Description: Active Directory Plugin version 2.41 and earlier follows LDAP redirections from the configured Active Directory server by default, which can be redirected to RMI URLs. This allows Jenkins to deserialize attacker-controlled data, leading to Remote Code Execution (RCE) on the Jenkins controller. 3. Arbitrary File Read vulnerability in the Email Extension Plugin - CVE: CVE-2026-48920 - Severity: High - Affected Plugin: Email Extension Plugin - Description: Email Extension Plugin version 1933.v45cec755423f and earlier contains a feature allowing inline images via the attribute. There are no restrictions on the image URLs that can be inlined. 4. Arbitrary File Read vulnerability via symlinks in the Pipeline: Groovy Libraries Plugin - CVE: CVE-2026-48921 - Severity: High - Affected Plugin: Pipeline: Groovy Libraries Plugin - Description: Pipeline: Groovy Libraries Plugin version 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries. 5. Path Traversal vulnerability in the Credentials Binding Plugin - CVE: CVE-2026-48922 - Severity: High - Affected Plugin: Credentials Binding Plugin - Description: Credentials Binding Plugin version 720.v3f6decef43ea_ and earlier does not properly sanitize filenames. 6. Missing permission check leading to request sending in the AppSpider Plugin - CVE: CVE-2026-48923 - Severity: Medium - Affected Plugin: AppSpider Plugin - Description: AppSpider Plugin version 1.0.17 and earlier fails to perform permission checks in methods implementing form validation. 7. Open Redirect vulnerability in the Bitbucket OAuth Plugin - CVE: CVE-2026-48924 - Severity: Medium - Affected Plugin: Bitbucket OAuth Plugin - Description: Bitbucket OAuth Plugin version 0.17 and earlier does not restrict redirect URLs after login. 8. CSRF vulnerability in the GitHub Integration Plugin - CVE: CVE-2026-48925 - Severity: Medium - Affected Plugin: GitHub Integration Plugin - Description: GitHub Integration Plugin version 0.7.3 and earlier does not require POST requests for HTTP endpoints, leading to Cross-Site Request Forgery (CSRF) vulnerabilities. 9. CSRF vulnerability in the Multijob Plugin allowing build recovery - CVE: CVE-2026-9674 - Severity: Medium - Affected Plugin: Multijob Plugin - Description: Multijob Plugin version 662.vd2e0001fb_b_d and earlier does not require POST requests for HTTP endpoints, leading to Cross-Site Request Forgery (CSRF) vulnerabilities. 10. Missing permission check leading to credential ID enumeration in the Job Import Plugin - CVE: CVE-2026-48926 - Severity: Medium - Affected Plugin: Job Import Plugin - Description: Job Import Plugin version 143.v044a_2e819b_27 and earlier fails to perform permission checks on HTTP endpoints. 11. Stored XSS vulnerability in the buildgraph-view Plugin - CVE: CVE-2026-48927 - Severity: High - Affected Plugin: buildgraph-view Plugin - Description: buildgraph-view Plugin version 1.8 and earlier does not escape build URLs, leading to Stored Cross-Site Scripting (XSS) vulnerabilities. Scope of Impact Active Directory Plugin: Version 2.41 and earlier AppSpider Plugin: Version 1.0.17 and earlier Bitbucket OAuth Plugin: Version 0.17 and earlier buildgraph-view Plugin: Version 1.8 and earlier Credentials Binding Plugin: Version 720.v3f6decef43ea_ and earlier Email Extension Plugin: Version 1933.v45cec755423f and earlier GitHub Integration Plugin: Version 0.7.3 and earlier Job Import Plugin: Version 143.v044a_2e819b_27 and earlier LDAP Plugin: Version 807.v7d7de30930cf and earlier Multijob Plugin: Version 662.vd2e0001fb_b_d and earlier Pipeline: Groovy Libraries Plugin: Version 797.v90ea_a_9b_e45a_0 and earlier Mitigation Active Directory Plugin: Upgrade to version 2.41.1 AppSpider Plugin: Upgrade to version 1.0.18 Bitbucket OAuth Plugin: Upgrade to version 0.18 Credentials Binding Plugin: Upgrade to version 725.ve52b_2328a_fde Email Extension Plugin: Upgrade to version 1933.v276319e3cc47 GitHub Integration Plugin: Upgrade to version 0.7.4 Job Import Plugin: Upgrade to version 143.145.v48f9a_a_6ff384 LDAP Plugin: Upgrade to version 807.809.vd3a_4e5e4ec98 Multijob Plugin: Upgrade to version 669.v9d96a_9c71b_0 Pipeline: Groovy Libraries Plugin: Upgrade to ver

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Bulletin: Multiple Plugin Vulnerabilities including RCE, AFR, CSRF