Jenkins Security Advisory: RCE, Open Redirect, XSS Fixes (CVE-2026-53435 et al.)

Jenkins Security Advisory 2026-06-10 Vulnerability Overview 1. Deserialization Vulnerability - CVE: CVE-2026-53435 - Severity: High - Description: Jenkins uses serialization and deserialization in multiple places, such as agent/controller communication (Remoting library) and loading/saving configuration and build data (using XStream). Attackers can exploit this vulnerability to execute arbitrary code. 2. Open Redirection Vulnerability - CVE: CVE-2026-53436, CVE-2026-53437 - Severity: Medium - Description: Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, contain flaws in URL validation that allow attackers to redirect to controlled domains. 3. Missing Permission Checks Allow Cancellation of Queue Items - CVE: CVE-2026-53438 - Severity: Medium - Description: Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, fail to perform Item/Read permission checks, allowing attackers to cancel queue items. 4. Missing Permission Checks Allow Retrieval of Limited User Profile Information - CVE: CVE-2026-53439 - Severity: Medium - Description: Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, fail to perform permission checks, allowing attackers to retrieve other users' configuration details such as their time zone. 5. Open Redirection Vulnerability in the "Delegate to servlet container" security realm - CVE: CVE-2026-53440 - Severity: Medium - Description: Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, do not ensure the safety of the "from" parameter, allowing attackers to redirect users to controlled domains. 6. Stored XSS Vulnerability in Node Offline Reason Description - CVE: CVE-2026-53441 - Severity: High - Description: Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, fail to escape user-provided offline reason descriptions, allowing attackers to execute cross-site scripting attacks. 7. Plaintext Secrets Persisted and Exposed via config.xml Endpoint - CVE: CVE-2026-53442 - Severity: Medium - Description: Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, store secrets in plaintext on disk, allowing attackers to obtain these secrets. Affected Versions Jenkins weekly: 2.567 and earlier Jenkins LTS: 2.555.2 and earlier Remediation Jenkins weekly: Upgrade to 2.568 Jenkins LTS: Upgrade to 2.555.3 Code Block No specific Proof of Concept (POC) code or exploitation code is included on the page.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: RCE, Open Redirect, XSS Fixes (CVE-2026-53435 et al.)