Description
Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation.
Published: 2026-05-27
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Jenkins Active Directory Plugin version 2.41 and earlier deserializes data from LDAP referrals without validating it. Deserialization of untrusted data (CWE‑502) can allow execution of arbitrary code if an attacker supplies crafted referral content. Anyone who can influence the LDAP referrals received by the plugin can potentially compromise the Jenkins instance.

Affected Systems

Installations of the Jenkins Project Jenkins Active Directory Plugin 2.41 or older are affected. Any Jenkins environment that uses this plugin to integrate with an LDAP directory and accepts referral responses from the directory is vulnerable.

Risk and Exploitability

The CVSS score of 6.6 indicates medium severity. The EPSS score is < 1%, and the vulnerability is not listed in CISA KEV. The likely attack vector is a trusted LDAP server that the Jenkins instance contacts; an attacker who controls or tricks the LDAP server into returning malicious referral data can trigger the vulnerable deserialization path.

Generated by OpenCVE AI on June 16, 2026 at 14:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins Active Directory Plugin to a fixed version supplied by the vendor; follow the vendor advisory for the exact release that contains the fix.
  • If an update is not immediately available, configure Jenkins or the plugin to disable LDAP referrals or ignore referral data during authentication.
  • Implement strict input validation on any LDAP referral data processed by the plugin, ensuring only trusted data is deserialized.

Generated by OpenCVE AI on June 16, 2026 at 14:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Jenkins Active Directory Plugin Untrusted Deserialization Vulnerability

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Active Directory Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Active Directory Plugin

Thu, 28 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins active Directory
CPEs cpe:2.3:a:jenkins:active_directory:*:*:*:*:*:jenkins:*:*
Vendors & Products Jenkins
Jenkins active Directory

Wed, 27 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Jenkins Active Directory Plugin Untrusted Deserialization Vulnerability

Wed, 27 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation.
References

Subscriptions

Jenkins Active Directory
Jenkins Project Jenkins Active Directory Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-05-27T15:47:35.773Z

Reserved: 2026-05-26T14:50:46.812Z

Link: CVE-2026-48919

cve-icon Vulnrichment

Updated: 2026-05-27T15:47:26.408Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T15:16:31.547

Modified: 2026-05-28T17:14:34.727

Link: CVE-2026-48919

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T15:00:07Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data