Jenkins versions 2.567 and earlier and LTS 2.555.2 and earlier do not validate the "from" parameter used by the Delegate to servlet container security realm. As a result, an attacker can craft a login URL that redirects the user to an arbitrary, attacker‑controlled domain after successful authentication, enabling phishing attacks that may trick users into providing credentials or other sensitive information. This flaw is a classic open‑redirect vulnerability and poses a social engineering risk rather than a direct code‑execution risk.

The vulnerability affects the Jenkins project’s Jenkins product. Versions 2.567 and earlier, as well as LTS 2.555.2 and earlier, are vulnerable. Users running these releases should verify their current version against the affected list.

The EPSS score for this vulnerability is not available, and it is not listed in the CISA KEV catalog. While no specific CVSS score is provided, the flaw permits attackers to lure authenticated users into visiting malicious sites, a scenario that can lead to credential theft or other social‑engineering outcomes. The likely attack vector is an attacker sending a malicious link or embedding it in a link that appears to be part of the Jenkins login flow. Exploitation requires no special access beyond being able to influence the login URL, and it can be carried out remotely over the web interface.