A missing permission check in the Jenkins GitHub Branch Source Plugin allows an attacker who already possesses Overall/Read access to instruct Jenkins to connect to an arbitrary URL supplied by the attacker using arbitrary GitHub App credentials. This flaw is an improper access control vulnerability that can expose or exfiltrate sensitive GitHub App tokens and may enable further manipulation of repository integration, potentially granting the attacker additional access to the target GitHub account or repository. The impact is confined to the scope of the attacker’s user account and involves the disclosure or misuse of credentials, rather than direct code execution or data destruction on the Jenkins host.

The vulnerability affects Jenkins instances that use the GitHub Branch Source Plugin version 1967.vdea_d580c1a_b_a_ or earlier. Systems employing earlier plugin releases should verify the exact plugin version and assess whether it falls within the affected range.

The CVSS score is 4.3, indicating moderate severity. The EPSS score is not available, so the exploitation probability cannot be quantified. The flaw is not listed in the CISA KEV catalog. Exploitation requires a user with Overall/Read permission, which is a low‑privilege role in many organizations. If an attacker can obtain such a role or coerce an existing reader into configuring the plugin, the attacker can direct Jenkins to connect to arbitrary external services, potentially leaking GitHub App credentials. The risk is amplified for installations that integrate with sensitive GitHub repositories.