Description
A vulnerability has been found in hekmon8 Jenkins-server-mcp 0.1.0. This vulnerability affects the function jobPath of the file src/index.ts of the component get_build_status/get_build_log/trigger_build. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-01
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the jobPath function within src/index.ts of the get_build_status/get_build_log/trigger_build component. An attacker can manipulate the jobPath parameter to cause the server to perform HTTP requests to arbitrary URLs, enabling server‑side request forgery. This flaw permits the execution of requests against internal or external systems that the server can reach, potentially leaking sensitive data or triggering unintended operations. The weakness is classified as CWE‑918 and is not limited to a specific environment, presenting a moderate confidentiality or integrity risk.

Affected Systems

The affected product is hekmon8 Jenkins‑server‑mcp, version 0.1.0. No other versions or variants are listed in the CNA data.

Risk and Exploitability

The CVSS base score of 5.3 indicates a medium severity. EPSS and KEV data are unavailable and not listed in the CISA known exploited catalog, respectively. The vulnerability can be triggered remotely simply by making a request that includes a crafted jobPath value. Because the server forwards the request unchanged, an attacker with network access to the Jenkins‑server‑mcp instance can direct it to any reachable address, including internal services that are otherwise inaccessible.

Generated by OpenCVE AI on June 1, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jenkins‑server‑mcp to a version that removes the SSRF flaw, if one has been released.
  • Restrict outbound traffic from the Jenkins‑server‑mcp host to only authorized Jenkins endpoints and block access to internal networks, using network policies or firewall rules.
  • Apply input validation on the jobPath parameter so that only known Jenkins job names or safe relative paths are allowed, rejecting any URLs or suspicious characters.

Generated by OpenCVE AI on June 1, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in hekmon8 Jenkins-server-mcp 0.1.0. This vulnerability affects the function jobPath of the file src/index.ts of the component get_build_status/get_build_log/trigger_build. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title hekmon8 Jenkins-server-mcp get_build_status/get_build_log/trigger_build index.ts jobPath server-side request forgery
First Time appeared Hekmon8
Hekmon8 jenkins-server-mcp
Weaknesses CWE-918
CPEs cpe:2.3:a:hekmon8:jenkins-server-mcp:*:*:*:*:*:*:*:*
Vendors & Products Hekmon8
Hekmon8 jenkins-server-mcp
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Hekmon8 Jenkins-server-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T17:00:11.275Z

Reserved: 2026-05-31T16:02:55.600Z

Link: CVE-2026-10276

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T19:16:20.027

Modified: 2026-06-01T19:16:20.027

Link: CVE-2026-10276

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T20:30:17Z

Weaknesses