Description
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks.
Published: 2026-06-10
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability causes Jenkins to incorrectly accept a redirect URL after login that contains tab or newline characters between the double slashes, treating it as a legitimate Jenkins URL. This allows an attacker to trick users into following a crafted redirect that points to an external malicious site, facilitating credential phishing. The flaw results from insufficient input validation of the redirect parameter, allowing an Open Redirect type exploit.

Affected Systems

Jenkins core versions 2.567 and older and LTS releases up to 2.555.2 are affected. All installations using these versions inherit the redirect handling behavior that permits the improper URL pattern.

Risk and Exploitability

The lack of an EPSS entry and absence from the KEV catalog suggest limited public exploitation data, but the flaw remains exploitable by anyone who can influence the redirect target for a logged‑in user. A credential‑stealing attack would require the user to be logged into Jenkins and to click the malicious link; thus, the risk is moderate to high in environments where external redirects are enabled. The CVSS score is unavailable, so assess risk through the vulnerability severity description and by considering the attack vector inferred from the redirect mechanism.

Generated by OpenCVE AI on June 10, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jenkins to at least 2.568 or LTS 2.556+ to apply the vendor fix.
  • If upgrading is not immediately possible, disable the post‑login redirect feature or enforce validation that redirects only point to internal domains and reject URLs containing tab or newline characters between slashes.
  • Review authentication logs for suspicious redirect attempts and train users to verify login URLs, being wary of unexpected external links after login.

Generated by OpenCVE AI on June 10, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins
Vendors & Products Jenkins Project
Jenkins Project jenkins

Wed, 10 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Phishing via Malicious Login Redirects in Jenkins
Weaknesses CWE-601

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks.
References

Subscriptions

Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-10T15:43:26.825Z

Reserved: 2026-06-09T14:26:44.788Z

Link: CVE-2026-53437

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:36.677

Modified: 2026-06-10T14:16:36.677

Link: CVE-2026-53437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses