Description
A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view.
Published: 2026-06-10
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing permission check in Jenkins releases 2.567 and earlier, and LTS 2.555.2 and earlier. It allows an attacker who has Item/Cancel permission but lacks Item/Read permission to cancel queue items they are not permitted to view. This can be used to disrupt continuous integration pipelines or manipulate build queues, effectively providing a privilege escalation that impairs the availability and integrity of the build system.

Affected Systems

Jenkins Project Jenkins versions 2.567 and all earlier releases, as well as the Long Term Support line 2.555.2 and earlier, are affected. Administrators using these releases should verify the installed version and plan to upgrade.

Risk and Exploitability

EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. The exploitability requires the attacker to possess Item/Cancel authority, suggesting an internal or easily compromise‑able threat scenario. An attacker can cancel queued builds that they cannot otherwise see, potentially disrupting services or creating denial‑of‑service conditions. As no public exploit code is known, the risk is considered moderate, but organizations that use Jenkins without tightly controlling Item/Cancel permissions should treat this as high severity.

Generated by OpenCVE AI on June 10, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Jenkins release newer than 2.567 or LTS 2.555.2.
  • Revoke Item/Cancel permissions from accounts that do not require it until the upgrade is complete.
  • Enable auditing of build queue operations and review logs for unauthorized cancellation events.
  • If an immediate upgrade is not possible, isolate the Jenkins queue component via network segmentation or firewall controls to limit access to authorized hosts.

Generated by OpenCVE AI on June 10, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins
Vendors & Products Jenkins Project
Jenkins Project jenkins

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view.
References

Subscriptions

Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-10T15:32:02.157Z

Reserved: 2026-06-09T14:26:44.789Z

Link: CVE-2026-53438

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:36.793

Modified: 2026-06-10T14:16:36.793

Link: CVE-2026-53438

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:00:13Z

Weaknesses

No weakness.