Jenkins Plugin Security Bulletin: RCE, SSRF, LFI via LDAP/AD/Credentials

Jenkins Security Advisory 2026-05-27 Vulnerability Overview This advisory announces vulnerabilities in the following Jenkins components: Active Directory Plugin AppSpider Plugin Bitbucket OAuth Plugin buildgraph-view Plugin Credentials Binding Plugin Email Extension Plugin GitHub Integration Plugin Job Import Plugin LDAP Plugin Multijob Plugin Pipeline: Groovy Libraries Plugin Scope of Impact 1. RCE via Unvalidated LDAP Redirection in LDAP Plugin - CVE: CVE-2026-48916 (SSRF), CVE-2026-48917 (Deserialization) - Severity: Medium - Affected Plugin: LDAP - Description: The LDAP Plugin versions 807.v7d7de30930cf and earlier follow LDAP redirections configured for the LDAP server. These redirections can be forwarded to RMI URLs, causing Jenkins to deserialize attacker-controlled data, leading to Remote Code Execution (RCE) on the Jenkins controller. 2. RCE via Unvalidated LDAP Redirection in Active Directory Plugin - CVE: CVE-2026-48918 (SSRF), CVE-2026-48919 (Deserialization) - Severity: Medium - Affected Plugin: active-directory - Description: The Active Directory Plugin versions 2.41 and earlier follow LDAP redirections configured for the Active Directory server by default. These redirections can be forwarded to RMI URLs, causing Jenkins to deserialize attacker-controlled data, leading to Remote Code Execution (RCE) on the Jenkins controller. 3. Arbitrary File Read in Email Extension Plugin - CVE: CVE-2026-48920 - Severity: High - Affected Plugin: email-ext - Description: The Email Extension Plugin versions 1933.v45cec755423f and earlier contain a feature that allows inlining images by setting the attribute. There are no restrictions on the image URLs that can be inlined. 4. Arbitrary File Read via Symlinks in Pipeline: Groovy Libraries Plugin - CVE: CVE-2026-48921 - Severity: High - Affected Plugin: pipeline-groovy-lib - Description: The Pipeline: Groovy Libraries Plugin versions 797.v90ea_a_9b_e45a_0 and earlier do not prohibit symbolic links within shared libraries. 5. Path Traversal in Credentials Binding Plugin - CVE: CVE-2026-48922 - Severity: High - Affected Plugin: credentials-binding - Description: The Credentials Binding Plugin versions 720.v3f6decef43ea_ and earlier do not properly sanitize filenames for file and zip file credentials. 6. Missing Authorization Check Leading to Request Sending in AppSpider Plugin - CVE: CVE-2026-48923 - Severity: Medium - Affected Plugin: jenkinsci-appspider-plugin - Description: The AppSpider Plugin versions 1.0.17 and earlier do not perform authorization checks in methods implementing form validation. 7. Open Redirect in Bitbucket OAuth Plugin - CVE: CVE-2026-48924 - Severity: Medium - Affected Plugin: bitbucket-oauth - Description: The Bitbucket OAuth Plugin versions 0.17 and earlier do not restrict redirect URLs after login. 8. CSRF Vulnerability in GitHub Integration Plugin - CVE: CVE-2026-48925 - Severity: Medium - Affected Plugin: github-pullrequest - Description: The GitHub Integration Plugin versions 0.7.3 and earlier do not require verification for POST requests to HTTP endpoints, leading to Cross-Site Request Forgery (CSRF) vulnerabilities. 9. CSRF Vulnerability Allowing Build Resumption in Multijob Plugin - CVE: CVE-2026-9674 - Severity: Medium - Affected Plugin: jenkins-multijob-plugin - Description: The Multijob Plugin versions 662.vd2e0001fb_b_d and earlier do not require verification for POST requests to HTTP endpoints, leading to Cross-Site Request Forgery (CSRF) vulnerabilities. 10. Missing Authorization Check Leading to Credential ID Enumeration in Job Import Plugin - CVE: CVE-2026-48926 - Severity: Medium - Affected Plugin: job-import-plugin - Description: The Job Import Plugin versions 143.v044a_2e819b_27 and earlier do not perform authorization checks in HTTP endpoints. 11. Stored XSS in buildgraph-view Plugin - CVE: CVE-2026-48927 - Severity: High - Affected Plugin: buildgraph-view - Description: The buildgraph-view Plugin versions 1.8 and earlier do not escape build URLs. Remediation Active Directory Plugin: Update to version 2.41.1 AppSpider Plugin: Update to version 1.0.18 Bitbucket OAuth Plugin: Update to version 0.18 Credentials Binding Plugin: Update to version 725.ve52b_2328a_fde Email Extension Plugin: Update to version 1933.v276319e3cc47 GitHub Integration Plugin: Update to version 0.7.4 Job Import Plugin: Update to version 143.145.v48f9a_a_6ff384 LDAP Plugin: Update to version 807.809.vd3a_4e5e4ec98 Multijob Plugin: Update to version 669.v9d96a_9c71b_0 Pipeline: Groovy Libraries Plugin: Update to version 798.v5cc688825312 Additional Information Severity: - SECURITY-3486: High - SECURITY-3654: Medium - SECURITY-3659: Medium - SECURITY-3671: Medium - SECURITY-3705: High - SECURITY-3727: High - SECURITY-3761: Medium - SECURITY-3776: Medium - SECURITY-3781: Medium - SECURITY-3783: Medium - SECURITY-3790: High Affected Versions: - Active Directory Plugin: 2.41 and earlier - AppSpider Plugin: 1.0.17 and earlier - Bitbucket OAuth Plugin: 0.17

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Plugin Security Bulletin: RCE, SSRF, LFI via LDAP/AD/Credentials