Jenkins Plugin Security Advisory: LDAP RCE, File Read, Path Traversal, and More

Jenkins Security Advisory 2026-05-27 Vulnerabilities Overview This advisory announces vulnerabilities in the following Jenkins artifacts: Active Directory Plugin AppSpider Plugin Bitbucket OAuth Plugin buildgraph-view Plugin Credentials Binding Plugin Email Extension Plugin GitHub Integration Plugin Job Import Plugin LDAP Plugin Multijob Plugin Pipeline: Groovy Libraries Plugin Affected Components RCE vulnerability from unvalidated LDAP referrals in LDAP Plugin - Affected versions: LDAP Plugin 807.v7d7de30930cf and earlier - Severity: Medium - Description: LDAP Plugin 807.v7d7de30930cf and earlier versions follow LDAP referrals from the configured LDAP server. These referrals can redirect to RMI URLs, leading to Jenkins deserializing attacker-controlled data and resulting in Remote Code Execution (RCE) on the Jenkins controller. RCE vulnerability from unvalidated LDAP referrals in Active Directory Plugin - Affected versions: Active Directory Plugin 2.41 and earlier - Severity: Medium - Description: Active Directory Plugin 2.41 and earlier versions follow LDAP referrals from the configured Active Directory server by default. These referrals can redirect to RMI URLs, leading to Jenkins deserializing attacker-controlled data and resulting in Remote Code Execution (RCE) on the Jenkins controller. Arbitrary file read vulnerability in Email Extension Plugin - Affected versions: Email Extension Plugin 1933.v45cec755423f and earlier - Severity: High - Description: Email Extension Plugin 1933.v45cec755423f and earlier versions include a feature allowing inline images as base64 by setting the attribute. There is no restriction on the image URLs that can be inlined. Arbitrary file read vulnerability through symbolic links in Pipeline: Groovy Libraries Plugin - Affected versions: Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier - Severity: High - Description: Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier versions do not disallow symbolic links in shared libraries. Path traversal vulnerability in Credentials Binding Plugin - Affected versions: Credentials Binding Plugin 720.v3f6decef43ea_ and earlier - Severity: High - Description: Credentials Binding Plugin 720.v3f6decef43ea_ and earlier versions do not correctly sanitize file paths for filenames and zip file credentials. Missing permission check in AppSpider Plugin allows sending requests - Affected versions: AppSpider Plugin 1.0.17 and earlier - Severity: Medium - Description: AppSpider Plugin 1.0.17 and earlier versions do not perform permission checks in the method implementing form validation. Open redirect vulnerability in Bitbucket OAuth Plugin - Affected versions: Bitbucket OAuth Plugin 0.17 and earlier - Severity: Medium - Description: Bitbucket OAuth Plugin 0.17 and earlier versions do not restrict redirect URLs after login. CSRF vulnerability in GitHub Integration Plugin - Affected versions: GitHub Integration Plugin 0.7.3 and earlier - Severity: Medium - Description: GitHub Integration Plugin 0.7.3 and earlier versions do not require CSRF tokens for POST requests to HTTP endpoints, leading to a Cross-Site Request Forgery (CSRF) vulnerability. CSRF vulnerability in Multijob Plugin allows resuming builds - Affected versions: Multijob Plugin 662.vd2e0001fb_b_d and earlier - Severity: Medium - Description: Multijob Plugin 662.vd2e0001fb_b_d and earlier versions do not require CSRF tokens for POST requests to HTTP endpoints, leading to a Cross-Site Request Forgery (CSRF) vulnerability. Missing permission check in Job Import Plugin allows enumerating credentials IDs - Affected versions: Job Import Plugin 143.v044a_2e819b_27 and earlier - Severity: Medium - Description: Job Import Plugin 143.v044a_2e819b_27 and earlier versions do not perform permission checks in HTTP endpoints. Stored XSS vulnerability in buildgraph-view Plugin - Affected versions: buildgraph-view Plugin 1.8 and earlier - Severity: High - Description: buildgraph-view Plugin 1.8 and earlier versions do not escape build URLs, leading to a Stored Cross-Site Scripting (XSS) vulnerability. Remediation Active Directory Plugin should be updated to version 2.41.1 AppSpider Plugin should be updated to version 1.0.18 Bitbucket OAuth Plugin should be updated to version 0.18 Credentials Binding Plugin should be updated to version 725.v52b_2328a_fde Email Extension Plugin should be updated to version 1933.v276319e3cc47 GitHub Integration Plugin should be updated to version 0.7.4 Job Import Plugin should be updated to version 143.145.v48f9a_a_6ff384 LDAP Plugin should be updated to version 807.809.vd3a_4e5e4ec98 Multijob Plugin should be updated to version 669.v9d96a_9c71b_0 Pipeline: Groovy Libraries Plugin should be updated to version 798.v5cc688825312 These versions include fixes for the aforementioned vulnerabilities. All other versions are considered affected unless otherwise stated. Credits Thanks to the following individuals for discovering and reporting these vu

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Plugin Security Advisory: LDAP RCE, File Read, Path Traversal, and More