Description
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks.
Published: 2026-06-10
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Jenkins versions 2.567 and earlier, including LTS 2.555.2, incorrectly treat redirect URLs that contain relative path segments such as ./ or ../ as legitimate after a user logs in. This flaw allows attackers to redirect a user’s browser to an arbitrary external site, thereby facilitating phishing attacks that can steal credentials. The weakness aligns with CWE-601, URL Redirection to Untrusted Resource.

Affected Systems

The Jenkins Project’s Jenkins is affected. Vulnerable releases include all Jenkins 2.567 and older, and all Long‑Term Support releases 2.555.2 and older.

Risk and Exploitability

The EPSS score is not provided and the vulnerability is not listed in the CISA KEV catalog, indicating no known large‑scale exploitation yet. Attackers could exploit this by directing a legitimate user to a malicious site immediately after login, with no additional authentication required. The CVSS score of 4.3 indicates low severity, and the risk is considered low for environments where users log in through web interfaces, especially if credential reuse occurs. No official workaround is published.

Generated by OpenCVE AI on June 10, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Jenkins release, ensuring the version is newer than 2.567 and 2.555.2
  • Restrict redirect URLs by configuring the built‑in whitelist through Manage Jenkins → Configure Global Security or by installing a plugin that enforces safe redirects
  • Review any custom redirect handling in plugins and ensure they do not accept unvalidated parameters; disable or whitelist if necessary

Generated by OpenCVE AI on June 10, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title jenkins: Jenkins: Phishing attacks via improper redirect URL validation
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins jenkins
CPEs cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Vendors & Products Jenkins
Jenkins jenkins

Wed, 10 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title Jenkins Improper Validates Redirect URL After Login Allowing Phishing

Wed, 10 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins
Vendors & Products Jenkins Project
Jenkins Project jenkins

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Jenkins Improper Validates Redirect URL After Login Allowing Phishing
Weaknesses CWE-601

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks.
References

Subscriptions

Jenkins Jenkins
Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-10T15:36:40.939Z

Reserved: 2026-06-09T14:26:44.788Z

Link: CVE-2026-53436

cve-icon Vulnrichment

Updated: 2026-06-10T15:36:32.314Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T14:16:36.547

Modified: 2026-06-11T13:24:27.300

Link: CVE-2026-53436

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-10T13:05:57Z

Links: CVE-2026-53436 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T17:30:36Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')