Jenkins Security Advisory: RCE, Stored XSS, and IDOR Fixes (CVE-2026-53435 et al.)

Jenkins Security Advisory 2026-06-10 Vulnerability Overview 1. Deserialization Vulnerability - CVE: CVE-2026-53435 - Severity: High - Description: Jenkins uses serialization and deserialization in several areas, such as agent/controller communication (Remoting library) and loading/saving configuration and build data (using XStream). An attacker can exploit this vulnerability to execute arbitrary code on the Jenkins controller. 2. Open Redirect Vulnerability - CVE: CVE-2026-53436, CVE-2026-53437 - Severity: Medium - Description: Jenkins versions 2.567 and earlier, LTS 2.555.2 and earlier, contain a flaw in URL validation that could lead to redirection to a domain controlled by an attacker. 3. Missing Permission Check Allows Cancellation of Queued Items - CVE: CVE-2026-53438 - Severity: Medium - Description: Jenkins versions 2.567 and earlier, LTS 2.555.2 and earlier, do not perform Item/Read permission checks on HTTP endpoints, allowing attackers to cancel queued items they do not have permission to view. 4. Missing Permission Check Allows Retrieval of Limited User Profile Information - CVE: CVE-2026-53439 - Severity: Medium - Description: Jenkins versions 2.567 and earlier, LTS 2.555.2 and earlier, do not perform permission checks on HTTP endpoints, allowing attackers to determine other users' time zones and enumerate view names. 5. Open Redirect Vulnerability in the "Delegate to Servlet Container" Security Realm - CVE: CVE-2026-53440 - Severity: Medium - Description: Jenkins versions 2.567 and earlier, LTS 2.555.2 and earlier, do not ensure the safety of the "from" parameter in the "Delegate to Servlet Container" security realm, potentially leading to redirection to a domain controlled by an attacker. 6. Stored XSS Vulnerability in Node Offline Reason Description - CVE: CVE-2026-53441 - Severity: High - Description: Jenkins versions 2.567 and earlier, LTS 2.555.2 and earlier, fail to escape user-provided offline reason descriptions, resulting in a stored XSS vulnerability. 7. Secrets Stored and Served in Plaintext in the config.xml Endpoint - CVE: CVE-2026-53442 - Severity: Medium - Description: Jenkins versions 2.567 and earlier, LTS 2.555.2 and earlier, write secrets to disk when POSTing config.xml submissions, causing secrets to be stored and served in plaintext. Affected Versions Jenkins weekly: 2.567 and earlier Jenkins LTS: 2.555.2 and earlier Fix Jenkins weekly: Upgrade to 2.568 Jenkins LTS: Upgrade to 2.555.3 Additional Information These vulnerabilities were reported via the Jenkins Bug Bounty Program and sponsored by the European Commission. Some vulnerabilities were caused by incomplete fixes; see the relevant security advisories for details. Summary The Jenkins 2026-06-10 Security Advisory addresses multiple serious security vulnerabilities, including deserialization vulnerabilities, open redirect vulnerabilities, missing permission checks, stored XSS vulnerabilities, and plaintext secret storage. Affected versions are Jenkins weekly 2.567 and earlier, and Jenkins LTS 2.555.2 and earlier. Users are advised to upgrade to Jenkins weekly 2.568 or Jenkins LTS 2.555.3 as soon as possible to fix these vulnerabilities.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: RCE, Stored XSS, and IDOR Fixes (CVE-2026-53435 et al.)