Jenkins Plugin Security Advisory: RCE, SSRF, AFR, Path Traversal via CVEs

Jenkins Security Advisory 2026-05-27 Vulnerability Summary 1. RCE via Unvalidated LDAP Redirect in LDAP Plugin - CVE: CVE-2026-48916 (SSRF), CVE-2026-48917 (Deserialization) - Severity: Medium - Affected Plugin: LDAP Plugin - Description: The LDAP Plugin versions 807.v7d7de30930cf and earlier follow LDAP redirects from the configured LDAP server. These redirects can be redirected to RMI URLs, causing Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution (RCE) on the Jenkins controller. 2. RCE via Unvalidated LDAP Redirect in Active Directory Plugin - CVE: CVE-2026-48918 (SSRF), CVE-2026-48919 (Deserialization) - Severity: Medium - Affected Plugin: Active Directory Plugin - Description: The Active Directory Plugin versions 2.41 and earlier follow LDAP redirects from the configured Active Directory server by default. These redirects can be redirected to RMI URLs, causing Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution (RCE) on the Jenkins controller. 3. Arbitrary File Read in Email Extension Plugin - CVE: CVE-2026-48920 - Severity: High - Affected Plugin: Email Extension Plugin - Description: The Email Extension Plugin versions 1933.v45cec755423f and earlier contain a feature allowing inline images by setting the attribute. There are no restrictions on the image URLs that can be inlined. 4. Arbitrary File Read via Symlink in Pipeline: Groovy Libraries Plugin - CVE: CVE-2026-48921 - Severity: High - Affected Plugin: Pipeline: Groovy Libraries Plugin - Description: The Pipeline: Groovy Libraries Plugin versions 797.v90ea_a_9b_e45a_0 and earlier do not prohibit symbolic links within shared libraries. 5. Path Traversal in Credentials Binding Plugin - CVE: CVE-2026-48922 - Severity: High - Affected Plugin: Credentials Binding Plugin - Description: The Credentials Binding Plugin versions 720.v3f6decef43ea_ and earlier do not correctly sanitize filenames for file and zip file credentials. 6. Missing Permission Check Leading to Request Sending in AppSpider Plugin - CVE: CVE-2026-48923 - Severity: Medium - Affected Plugin: jenkinsci-appspider-plugin - Description: The AppSpider Plugin versions 1.0.17 and earlier do not perform permission checks in the method implementing form validation. 7. Open Redirect in Bitbucket OAuth Plugin - CVE: CVE-2026-48924 - Severity: Medium - Affected Plugin: bitbucket-oauth - Description: The Bitbucket OAuth Plugin versions 0.17 and earlier do not restrict redirect URLs after login. 8. CSRF in GitHub Integration Plugin - CVE: CVE-2026-48925 - Severity: Medium - Affected Plugin: github-pullrequest - Description: The GitHub Integration Plugin versions 0.7.3 and earlier do not require CSRF tokens for POST requests to HTTP endpoints, leading to Cross-Site Request Forgery (CSRF) vulnerabilities. 9. CSRF Allowing Build Resume in Multijob Plugin - CVE: CVE-2026-9674 - Severity: Medium - Affected Plugin: jenkins-multijob-plugin - Description: The Multijob Plugin versions 662.vd2e0001fb_b_d and earlier do not require CSRF tokens for POST requests to HTTP endpoints, leading to Cross-Site Request Forgery (CSRF) vulnerabilities. 10. Missing Permission Check Leading to Credential ID Enumeration in Job Import Plugin - CVE: CVE-2026-48926 - Severity: Medium - Affected Plugin: job-import-plugin - Description: The Job Import Plugin versions 143.v044a_2e819b_27 and earlier do not perform permission checks on HTTP endpoints. 11. Stored XSS in buildgraph-view Plugin - CVE: CVE-2026-48927 - Severity: High - Affected Plugin: buildgraph-view - Description: The buildgraph-view Plugin versions 1.8 and earlier do not escape build URLs. Impact Scope Active Directory Plugin: 2.41 and earlier AppSpider Plugin: 1.0.17 and earlier Bitbucket OAuth Plugin: 0.17 and earlier buildgraph-view Plugin: 1.8 and earlier Credentials Binding Plugin: 720.v3f6decef43ea_ and earlier Email Extension Plugin: 1933.v45cec755423f and earlier GitHub Integration Plugin: 0.7.3 and earlier Job Import Plugin: 143.v044a_2e819b_27 and earlier LDAP Plugin: 807.v7d7de30930cf and earlier Multijob Plugin: 662.vd2e0001fb_b_d and earlier Pipeline: Groovy Libraries Plugin: 797.v90ea_a_9b_e45a_0 and earlier Fix Solutions Active Directory Plugin: Upgrade to 2.41.1 AppSpider Plugin: Upgrade to 1.0.18 Bitbucket OAuth Plugin: Upgrade to 0.18 Credentials Binding Plugin: Upgrade to 725.ve52b_2328a_fde Email Extension Plugin: Upgrade to 1933.v45cec755423f GitHub Integration Plugin: Upgrade to 0.7.4 Job Import Plugin: Upgrade to 143.145.v48f9a_a_6ff384 LDAP Plugin: Upgrade to 807.809.vd3a_4e5e4ec98 Multijob Plugin: Upgrade to 669.v9d96a_9c71b_0 Pipeline: Groovy Libraries Plugin: Upgrade to 798.v5cc688825312 Notes buildgraph-view Plugin: As of the release of this advisory, no fix is available. Acknowledgments Thanks to the following individuals for discovering and reporting these vulnerabilities: Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel, Adiel Sol from DREAM for SECURITY-365

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Plugin Security Advisory: RCE, SSRF, AFR, Path Traversal via CVEs