Description
Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.
Published: 2026-04-29
Score: 7.5 High
EPSS: 2.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by the Jenkins Credentials Binding Plugin not sanitizing file names supplied in file and zip file credentials. This omission allows an attacker who can provide credentials to a job to write arbitrary files to any location on the node file system. By writing malicious files, the attacker can achieve remote code execution if Jenkins is configured so that a low‑privileged user can set file or zip file credentials for a job running on the built‑in node.

Affected Systems

Jenkins Project – Jenkins Credentials Binding Plugin versions 719.v80e905ef14eb_ and earlier are affected. Any installation using the vulnerable plugin on a node where low‑privileged users can configure job credentials is susceptible.

Risk and Exploitability

Based on the description, the likely attack vector is attacker‑authenticated with permissions to create or modify jobs that use file or zip file credentials on the built‑in node. The absence of a sanitization check gives the attacker full write access to the node file system, leading to arbitrary code execution. The EPSS score of 2% indicates a measurable likelihood of exploitation, and the CVSS score of 7.5 indicates high severity, making it a risk that should be mitigated promptly.

Generated by OpenCVE AI on May 7, 2026 at 15:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins Credentials Binding Plugin to the latest released version that includes input validation for file names.
  • Ensure that Jenkins is running the latest stable release, which incorporates the patched plugin.
  • Restrict users who can configure file or zip file credentials for jobs to high‑privileged accounts, or disable job credential configuration for low‑privileged users.

Generated by OpenCVE AI on May 7, 2026 at 15:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p2rf-wpxj-mx2g Jenkins Credentials Binding Plugin has a path traversal vulnerability
History

Thu, 07 May 2026 16:00:00 +0000

Type Values Removed Values Added
Title Unsanitized File Names in Jenkins Credentials Binding Plugin Allow Arbitrary File Write Leading to Remote Code Execution

Wed, 06 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins credentials Binding
CPEs cpe:2.3:a:jenkins:credentials_binding:*:*:*:*:*:jenkins:*:*
Vendors & Products Jenkins
Jenkins credentials Binding

Thu, 30 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Credentials Binding Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Credentials Binding Plugin

Wed, 29 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title Unsanitized File Names in Jenkins Credentials Binding Plugin Allow Arbitrary File Write Leading to Remote Code Execution

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.
References

Subscriptions

Jenkins Credentials Binding
Jenkins Project Jenkins Credentials Binding Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-04-29T14:02:37.784Z

Reserved: 2026-04-28T09:24:35.048Z

Link: CVE-2026-42520

cve-icon Vulnrichment

Updated: 2026-04-29T13:59:03.887Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T14:16:19.067

Modified: 2026-05-06T16:32:41.713

Link: CVE-2026-42520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T15:45:32Z

Weaknesses