Description
Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default.
Published: 2026-05-27
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Jenkins Active Directory Plugin up to version 2.41 automatically follows LDAP referrals, which can allow an attacker to influence the plugin to contact arbitrary LDAP servers. This behavior may enable retrieval of sensitive directory information or cross‑forest data that the attacker should not normally access. The weakness is classified as CWE‑918, a subtype of LDAP injection where untrusted input leads to denied or unintended access.

Affected Systems

The vulnerability is present in the Jenkins Project’s Active Directory Plugin, affecting all releases 2.41 and earlier.

Risk and Exploitability

With a CVSS score of 6.6 the vulnerability is considered moderate. EPSS is not available and the entry is not listed in CISA KEV. The likely attack vector is inferred to involve an attacker manipulating LDAP responses or sending a crafted referral, causing the plugin to follow that referral and potentially expose directory data. The absence of an EPSS score indicates that it has not been widely exploited, and the CVE is not currently listed in known exploited lists.

Generated by OpenCVE AI on May 27, 2026 at 21:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins Active Directory Plugin to a version newer than 2.41, such as 2.42 or later, which disables automatic LDAP referral following.
  • If an upgrade is not immediately possible, modify the plugin configuration to disable referral following, for example by setting the appropriate referral option to false in the plugin settings.
  • Review LDAP logs and network traffic to detect and block unsolicited referral responses in environments where the plugin is still configured to follow referrals.

Generated by OpenCVE AI on May 27, 2026 at 21:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title LDAP Referral Traversal Vulnerability in Jenkins Active Directory Plugin

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-918
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-05-27T15:48:34.628Z

Reserved: 2026-05-26T14:50:46.812Z

Link: CVE-2026-48918

cve-icon Vulnrichment

Updated: 2026-05-27T15:48:24.309Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T15:16:31.450

Modified: 2026-05-27T19:54:54.150

Link: CVE-2026-48918

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T21:30:34Z

Weaknesses