Description
Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.
Published: 2026-04-29
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Jenkins Microsoft Entra ID (formerly Azure AD) Plugin up to version 666.v6060de32f87d allows an attacker to redirect users to arbitrary URLs after authentication. This flaw enables the construction of convincing phishing pages that can harvest user credentials or implant malware, potentially compromising any Jenkins environment that relies on this plugin for identity integration. The weakness stems from an lack of validation on redirect URLs, which is a classic web‑application vulnerability that grants attackers control over post‑login flow.

Affected Systems

The issue affects Jenkins installations using the Microsoft Entra ID Plugin, specifically all releases 666.v6060de32f87d and earlier. Any Jenkins instance that employs this plugin for Single Sign‑On with Microsoft Entra ID is vulnerable, regardless of the Jenkins core version.

Risk and Exploitability

Although no EPSS score or KEV listing is available, the CVSS score of 4.3 indicates low overall severity, yet the deficiency permits attackers to bypass normal authentication redirects and trick users into submitting credentials to malicious sites. The risk is high in environments where external networks or untrusted users can interact with the Jenkins login page. The exploit path is straightforward: after a user logs in through the plugin, the attacker can manipulate the redirect parameter to point to a phishing domain.

Generated by OpenCVE AI on April 29, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Microsoft Entra ID Plugin to the latest fixed version once it is released.
  • Disable or uninstall the plugin temporarily if a patch is not available, and avoid using it for authentication.
  • Configure Jenkins or the plugin to whitelist acceptable redirect URLs and reject any that are not on the allowed list.

Generated by OpenCVE AI on April 29, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Microsoft Entra Id Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Microsoft Entra Id Plugin

Wed, 29 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title Unrestricted Redirect in Microsoft Entra ID Plugin Enables Phishing Attacks

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-601
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.
References

Subscriptions

Jenkins Project Jenkins Microsoft Entra Id Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-04-29T14:09:41.735Z

Reserved: 2026-04-28T09:24:35.049Z

Link: CVE-2026-42525

cve-icon Vulnrichment

Updated: 2026-04-29T14:08:53.365Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-29T14:16:19.557

Modified: 2026-04-30T15:13:14.230

Link: CVE-2026-42525

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:21:17Z

Weaknesses