Description
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks.
Published: 2026-06-10
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Jenkins versions 2.567 and earlier, including LTS 2.555.2, incorrectly treat redirect URLs that contain relative path segments such as ./ or ../ as legitimate after a user logs in. This flaw allows attackers to redirect a user’s browser to an arbitrary external site, thereby facilitating phishing attacks that can steal credentials. The weakness aligns with CWE-601, URL Redirection to Untrusted Resource.

Affected Systems

The Jenkins Project’s Jenkins is affected. Vulnerable releases include all Jenkins 2.567 and older, and all Long‑Term Support releases 2.555.2 and older.

Risk and Exploitability

The EPSS score is not provided and the vulnerability is not listed in the CISA KEV catalog, indicating no known large‑scale exploitation yet. Attackers could exploit this by directing a legitimate user to a malicious site immediately after login, with no additional authentication required. The risk is moderate to high for environments where users log in through web interfaces, especially if credential reuse occurs. No official workaround is published.

Generated by OpenCVE AI on June 10, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Jenkins release, ensuring the version is newer than 2.567 and 2.555.2
  • Restrict redirect URLs by configuring the built‑in whitelist through Manage Jenkins → Configure Global Security or by installing a plugin that enforces safe redirects
  • Review any custom redirect handling in plugins and ensure they do not accept unvalidated parameters; disable or whitelist if necessary

Generated by OpenCVE AI on June 10, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Jenkins Improper Validates Redirect URL After Login Allowing Phishing
Weaknesses CWE-601

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-10T15:36:40.939Z

Reserved: 2026-06-09T14:26:44.788Z

Link: CVE-2026-53436

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:36.547

Modified: 2026-06-10T14:16:36.547

Link: CVE-2026-53436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses