CVE-2025-64132
Published Oct 29, 2025
Last updated 3 months ago
- Description
- Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in multiple MCP tools, allowing attackers to trigger builds and obtain information about job and cloud configuration they should not be able to access.
- Source
- jenkinsci-cert@googlegroups.com
- NVD status
- Analyzed
- Products
- mcp_server
CVSS 3.1
- Type
- Secondary
- Base score
- 5.4
- Impact score
- 2.5
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-862
- Hype score
- Not currently trending
MCP servers are now a recognized attack surface. Last 72 hours: - CVE-2025-11202 (Found be me 😀 through @thezdi): win-cli-mcp-server command injection RCE (CVSS 9.8) - CVE-2025-64132: Jenkins MCP Server permission bypass The Model Context Protocol is 3 months old and alr
@gothburz
1 Nov 2025
6793 Impressions
14 Retweets
89 Likes
49 Bookmarks
1 Reply
1 Quote
CVE-2025-64132 - Jenkins MCP Server Plugin does not perform permission checks in multiple MCP tools This time #pruva analyzed a cve related to the official #MCP server for Jenkins. Report: https://t.co/9eo9Y4qSWI Advs: https://t.co/KVGmC93EsX https://t.co/sjmdF830mW
@N3mes1s
30 Oct 2025
2983 Impressions
11 Retweets
43 Likes
15 Bookmarks
2 Replies
0 Quotes
CVE-2025-64132 Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in multiple MCP tools, allowing attackers to trigger builds and obtain in… https://t.co/GOTlYanytF
@CVEnew
29 Oct 2025
223 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jenkins:mcp_server:*:*:*:*:*:jenkins:*:*",
"matchCriteriaId": "5693C7AF-4054-4B81-81F8-4B8DE2A52804",
"versionEndExcluding": "0.86.v7d3355e6a_a_18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]