Description
Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views".
Published: 2026-06-10
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from missing permission checks in Jenkins versions 2.567 and earlier and LTS 2.555.2 and earlier. A user with Overall/Read permission can query the web interface to learn the configured timezone of other users and enumerate the names of other users’ "My Views". This allows the attacker to obtain sensitive user configuration data that should not be publicly accessible.

Affected Systems

The affected software is Jenkins Project Jenkins. The vulnerability applies to all Jenkins releases up to and including version 2.567 and to LTS releases up to and including 2.555.2. Users running these versions are susceptible.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, indicating no confirmed exploitation in the wild to date. However, since the defect can be triggered by any user with Overall/Read permission and requires no further conditions, the risk is non‑negligible. The attack vector is likely remote, as the flaw is accessed through the Jenkins web UI. The CVSS score is 4.3, indicating moderate severity.

Generated by OpenCVE AI on June 10, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jenkins to a version newer than 2.567 or to the latest LTS release beyond 2.555.2 where the permission checks have been corrected.
  • If an upgrade is not immediately possible, restrict the Overall/Read permission to trusted administrators only and remove or audit any custom extensions that might expose user configuration data.
  • Consider disabling or removing the features that expose user timezones or "My Views" if they are not needed, as a temporary measure until the official patch can be applied.

Generated by OpenCVE AI on June 10, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Missing Permission Check in Jenkins Exposes User Timezone and View Names jenkins: Jenkins: Information Disclosure via Missing Permission Checks
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 11 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins jenkins
CPEs cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Vendors & Products Jenkins
Jenkins jenkins

Wed, 10 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Title Missing Permission Check in Jenkins Exposes User Timezone and View Names

Wed, 10 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Title Permission Checks Missing in Jenkins Expose Timezone and View Names
Weaknesses CWE-200
CWE-284

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins
Vendors & Products Jenkins Project
Jenkins Project jenkins

Wed, 10 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Permission Checks Missing in Jenkins Expose Timezone and View Names
Weaknesses CWE-200
CWE-284

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views".
References

Subscriptions

Jenkins Jenkins
Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-10T15:33:30.957Z

Reserved: 2026-06-09T14:26:44.789Z

Link: CVE-2026-53439

cve-icon Vulnrichment

Updated: 2026-06-10T15:33:27.373Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T14:16:36.893

Modified: 2026-06-11T13:06:36.427

Link: CVE-2026-53439

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-10T13:06:00Z

Links: CVE-2026-53439 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:45:39Z

Weaknesses