CVE-2026-53442

Published Jun 10, 2026

Last updated 3 days ago

CVSS medium 5.3

Overview

Description: Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.
Source: jenkinsci-cert@googlegroups.com
NVD status: Analyzed
Products: jenkins

Risk scores

CVSS 3.1

Type: Secondary
Base score: 5.3
Impact score: 1.4
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity: MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-311

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*",
            "matchCriteriaId": "648B5148-FE3B-464A-8963-DCF7ACEF84E5",
            "versionEndExcluding": "2.555.3",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*",
            "matchCriteriaId": "356A970F-6576-49B6-8EBA-E9770ED190A7",
            "versionEndExcluding": "2.568",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.