Description
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.
Published: 2026-02-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Update Jenkins
AI Analysis

Impact

Jenkins 2.550 and earlier, including LTS 2.541.1, allow users submitting a build to reference Run Parameter values that point to other builds the user does not have permission to see. An attacker possessing Item/Build and Item/Configure access can discover whether a particular job or build exists and, if the build exists, retrieve its display name. The flaw is a classic information exposure, identified as CWE-200, and an access control issue, identified as CWE-551. The disclosed information can aid an attacker in mapping the Jenkins environment, although it does not grant control over the system.

Affected Systems

Jenkins Project’s Jenkins core, versions 2.550 or older and LTS 2.541.1 or older.

Risk and Exploitability

The CVSS score of 4.3 signals moderate severity. An EPSS score of <1% indicates that exploitation is currently considered unlikely, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access with Item/Build and Item/Configure permissions, so an attacker must already have some level of authority within the Jenkins environment. With those prerequisites, the attacker can glean internal job and build information by crafting a build request that references a protected build.

Generated by OpenCVE AI on April 17, 2026 at 18:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Jenkins to a version that fixes this issue (>= 2.551 or LTS 2.541.2).
  • Limit Item/Build and Item/Configure permissions to users who truly need them, following the principle of least privilege.
  • Configure job parameters to validate or reject Run Parameter values that reference other builds, reducing the opportunity for information disclosure.

Generated by OpenCVE AI on April 17, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wfhp-qgm8-5p5c Jenkins has a build information disclosure vulnerability through Run Parameter
History

Fri, 20 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins jenkins
CPEs cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Vendors & Products Jenkins
Jenkins jenkins

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins
Vendors & Products Jenkins Project
Jenkins Project jenkins

Thu, 19 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Title org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters
Weaknesses CWE-551
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 18 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
Description Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.
References

Subscriptions

Jenkins Jenkins
Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-02-18T14:53:33.264Z

Reserved: 2026-02-17T16:48:49.373Z

Link: CVE-2026-27100

cve-icon Vulnrichment

Updated: 2026-02-18T14:52:48.220Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T15:18:43.967

Modified: 2026-02-20T20:53:16.173

Link: CVE-2026-27100

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-18T14:17:44Z

Links: CVE-2026-27100 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:45:25Z

Weaknesses