Description
A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view.
Published: 2026-06-10
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing permission check in Jenkins releases 2.567 and earlier, and LTS 2.555.2 and earlier. It allows an attacker who has Item/Cancel permission but lacks Item/Read permission to cancel queue items they are not permitted to view. This can be used to disrupt continuous integration pipelines or manipulate build queues, effectively providing a privilege escalation that impairs the availability and integrity of the build system.

Affected Systems

Jenkins Project Jenkins versions 2.567 and all earlier releases, as well as the Long Term Support line 2.555.2 and earlier, are affected. Administrators using these releases should verify the installed version and plan to upgrade.

Risk and Exploitability

EPSS is available, with a value indicating a probability of exploitation below 1%, and the vulnerability is not listed in the CISA KEV catalog. The exploitability requires the attacker to possess Item/Cancel authority, suggesting an internal or easily compromised threat scenario. An attacker can cancel queued builds that they cannot otherwise see, potentially disrupting services or creating denial‑of‑service conditions. As no public exploit code is known, the risk is considered moderate, but organizations that use Jenkins without tightly controlling Item/Cancel permissions should treat this as high severity. The CVSS score of 4.3 confirms a moderate severity rating.

Generated by OpenCVE AI on June 18, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Jenkins release newer than 2.567 or LTS 2.555.2.
  • Revoke Item/Cancel permissions from accounts that do not require it until the upgrade is complete.
  • Enable auditing of build queue operations and review logs for unauthorized cancellation events.
  • If an immediate upgrade is not possible, isolate the Jenkins queue component via network segmentation or firewall controls to limit access to authorized hosts.

Generated by OpenCVE AI on June 18, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Missing Permission Check Allows Unauthorized Queue Cancellation in Jenkins jenkins: Jenkins: Unauthorized cancellation of queue items due to missing permission check
Weaknesses CWE-266
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins jenkins
CPEs cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Vendors & Products Jenkins
Jenkins jenkins

Wed, 10 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Title Missing Permission Check Allows Unauthorized Queue Cancellation in Jenkins

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins
Vendors & Products Jenkins Project
Jenkins Project jenkins

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view.
References

Subscriptions

Jenkins Jenkins
Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-10T15:32:02.157Z

Reserved: 2026-06-09T14:26:44.789Z

Link: CVE-2026-53438

cve-icon Vulnrichment

Updated: 2026-06-10T15:16:01.465Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T14:16:36.793

Modified: 2026-06-11T13:21:45.927

Link: CVE-2026-53438

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-10T13:05:59Z

Links: CVE-2026-53438 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T02:00:05Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-862

    Missing Authorization