Description
Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views".
Published: 2026-06-10
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from missing permission checks in Jenkins versions 2.567 and earlier and LTS 2.555.2 and earlier. A user with Overall/Read permission can query the web interface to learn the configured timezone of other users and enumerate the names of other users’ "My Views". This allows the attacker to obtain sensitive user configuration data that should not be publicly accessible.

Affected Systems

The affected software is Jenkins Project Jenkins. The vulnerability applies to all Jenkins releases up to and including version 2.567 and to LTS releases up to and including 2.555.2. Users running these versions are susceptible.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, indicating no confirmed exploitation in the wild to date. However, since the defect can be triggered by any user with Overall/Read permission and requires no further conditions, the risk is non‑negligible. The attack vector is likely remote, as the flaw is accessed through the Jenkins web UI. The provided CVSS score is not available, so the exact severity cannot be quantified from the data presented.

Generated by OpenCVE AI on June 10, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jenkins to a version newer than 2.567 or to the latest LTS release beyond 2.555.2 where the permission checks have been corrected.
  • If an upgrade is not immediately possible, restrict the Overall/Read permission to trusted administrators only and remove or audit any custom extensions that might expose user configuration data.
  • Consider disabling or removing the features that expose user timezones or "My Views" if they are not needed, as a temporary measure until the official patch can be applied.

Generated by OpenCVE AI on June 10, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins
Vendors & Products Jenkins Project
Jenkins Project jenkins

Wed, 10 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Permission Checks Missing in Jenkins Expose Timezone and View Names
Weaknesses CWE-200
CWE-284

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views".
References

Subscriptions

Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-10T15:33:30.957Z

Reserved: 2026-06-09T14:26:44.789Z

Link: CVE-2026-53439

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:36.893

Modified: 2026-06-10T14:16:36.893

Link: CVE-2026-53439

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses