Description
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks.
Published: 2026-06-10
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability causes Jenkins to incorrectly accept a redirect URL after login that contains tab or newline characters between the double slashes, treating it as a legitimate Jenkins URL. This allows an attacker to trick users into following a crafted redirect that points to an external malicious site, facilitating credential phishing. The flaw results from insufficient input validation of the redirect parameter, allowing an Open Redirect type exploit.

Affected Systems

Jenkins core versions 2.567 and older and LTS releases up to 2.555.2 are affected. All installations using these versions inherit the redirect handling behavior that permits the improper URL pattern.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The lack of an EPSS entry and absence from the KEV catalog suggest limited public exploitation data, but the flaw remains exploitable by anyone who can influence the redirect target for a logged‑in user. A credential‑stealing attack would require the user to be logged into Jenkins and to click the malicious link; thus, the risk is moderate to high in environments where external redirects are enabled.

Generated by OpenCVE AI on June 10, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jenkins to at least 2.568 or LTS 2.556+ to apply the vendor fix.
  • If upgrading is not immediately possible, disable the post‑login redirect feature or enforce validation that redirects only point to internal domains and reject URLs containing tab or newline characters between slashes.
  • Review authentication logs for suspicious redirect attempts and train users to verify login URLs, being wary of unexpected external links after login.

Generated by OpenCVE AI on June 10, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title jenkins: Jenkins: Phishing attack via improper redirect URL validation
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins jenkins
CPEs cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Vendors & Products Jenkins
Jenkins jenkins

Wed, 10 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title Phishing via Malicious Login Redirects in Jenkins

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins
Vendors & Products Jenkins Project
Jenkins Project jenkins

Wed, 10 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Phishing via Malicious Login Redirects in Jenkins
Weaknesses CWE-601

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks.
References

Subscriptions

Jenkins Jenkins
Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-30T03:18:42.669Z

Reserved: 2026-06-09T14:26:44.788Z

Link: CVE-2026-53437

cve-icon Vulnrichment

Updated: 2026-06-30T03:18:42.669Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T14:16:36.677

Modified: 2026-06-11T13:23:10.640

Link: CVE-2026-53437

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-10T13:05:58Z

Links: CVE-2026-53437 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T17:30:36Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')