The Jenkins Email Extension Plugin allows email recipients to receive images that are inlined directly into the email body by setting the data-inline attribute. The plugin places no restrictions on the URLs used for these images, enabling an attacker who can control the email content to specify a file: URL that points to any file on the Jenkins controller filesystem. When the email is rendered, the plugin reads the file, encodes it as base64, and injects it into the email, exposing arbitrary file contents to the attacker. This results in an information‑disclosure vulnerability that can reveal configuration files, credentials, or other sensitive data stored on the server.

Any Jenkins instance that uses the Email Extension Plugin version 1933.v45cec755423f or earlier is affected. The vulnerability applies to all installations where the plugin is enabled and processing email content can be influenced by an attacker or compromised user.

The CVSS score is 8.8, indicating a high severity. The EPSS score is not available and the issue is not listed in CISA KEV, suggesting that there is no widespread exploitation data yet. The attack requires control over the email content, so an attacker must be able to inject data into the email that the plugin sends. This could be achieved by an internal user with email credentials or by an external actor who can trigger emails containing malicious content. The lack of URL validation fundamentally allows an attacker to read any file accessible to the Jenkins controller process.