Description
A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows attackers to attackers to trigger a build for a pull request.
Published: 2026-05-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery flaw in the Jenkins GitHub Integration Plugin allows an attacker to trigger an unintended build for a pull request. The weakness enables a malicious actor to execute build jobs without legitimate authorization, potentially exposing internal resources or introducing unauthorized code changes. The vulnerability is classic CSRF, identified by CWE-352.

Affected Systems

Jenkins Project Jenkins GitHub Integration Plugin versions 0.7.3 and earlier are affected. All installations of that plugin running at or below these versions are vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk overall. EPSS data is not available to gauge current exploitation likelihood, and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be CSRF, meaning an attacker could send a crafted request from a user’s browser or a malicious script that bypasses Jenkins’ CSRF token checks. Successful exploitation would require that the victim has network access to the Jenkins instance and does not have additional mitigation such as trained access controls or reverse proxy filtering.

Generated by OpenCVE AI on May 27, 2026 at 21:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Jenkins GitHub Integration Plugin to the latest released version that fixes the CSRF issue. The official advisory lists the fixed release and instructions for upgrade.
  • Verify that Jenkins’ global CSRF protection (X‑Frame Options, CSRF token enforcement) remains enabled in CONFIGURE GLOBAL SECURITY, as the vulnerability exploits a missing token check.
  • If immediate upgrade is not feasible, restrict or temporarily disable the GitHub Integration Plugin’s pull‑request build functionality to prevent accidental build triggers until a patch is applied.

Generated by OpenCVE AI on May 27, 2026 at 21:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Github Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Github Plugin

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Kostyasha
Kostyasha github Integration
CPEs cpe:2.3:a:kostyasha:github_integration:*:*:*:*:*:jenkins:*:*
Vendors & Products Kostyasha
Kostyasha github Integration

Wed, 27 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title CSRF Vulnerability Allows Unauthorized Build Trigger in Jenkins GitHub Integration Plugin

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows attackers to attackers to trigger a build for a pull request.
References

Subscriptions

Jenkins Project Jenkins Github Plugin
Kostyasha Github Integration
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-05-27T15:22:16.078Z

Reserved: 2026-05-26T14:50:46.813Z

Link: CVE-2026-48925

cve-icon Vulnrichment

Updated: 2026-05-27T15:22:09.588Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T15:16:32.190

Modified: 2026-05-28T16:57:40.600

Link: CVE-2026-48925

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:15:25Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)