Description
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.
Published: 2026-06-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability permits credentials submitted via POST config.xml to be stored unencrypted in job configuration files on the Jenkins controller. Those files can be accessed by users with Item/Extended Read rights or by anyone who can read the Jenkins controller filesystem, allowing them to view sensitive information. The weakness is a classic case of storing secrets in plaintext (CWE-311) and lack of encryption of credentials (CWE-312).

Affected Systems

All Jenkins Project Jenkins releases up to version 2.567, and Long-Term Support releases up to 2.555.2, are affected. Any job configuration files generated by these versions may contain unencrypted credentials. Administrators should review deployments running within these version ranges to assess exposure.

Risk and Exploitability

The CVSS score is 5.3, and the EPSS score is less than 1%, indicating very low but nonzero exploitation probability. The vulnerability can be exploited by any actor who possesses Item/Extended Read permission or who can read the Jenkins controller filesystem. The attack vector is inferred to be internal to the Jenkins environment, either local or remote, depending on network exposure. Given the potential for credential theft, the risk is significant and warrants immediate attention. The vulnerability is not listed in CISA’s KEV catalogue.

Generated by OpenCVE AI on June 12, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jenkins to a release in which this issue has been resolved.
  • If an upgrade is not possible, restrict the Item/Extended Read permission to trusted users only and protect the controller filesystem from unauthorized access.
  • Reconfigure jobs to use Jenkins’ credential store instead of embedding secrets in config.xml, ensuring encryption.

Generated by OpenCVE AI on June 12, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins jenkins
CPEs cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Vendors & Products Jenkins
Jenkins jenkins

Fri, 12 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Plaintext Secrets Stored in Jenkins Job Configurations jenkins: Jenkins: Information disclosure of secrets via unencrypted storage
Weaknesses CWE-312
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 10 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Title Plaintext Secrets Stored in Jenkins Job Configurations

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-311
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 10 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins
Vendors & Products Jenkins Project
Jenkins Project jenkins

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.
References

Subscriptions

Jenkins Jenkins
Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-10T14:36:51.655Z

Reserved: 2026-06-09T14:26:44.789Z

Link: CVE-2026-53442

cve-icon Vulnrichment

Updated: 2026-06-10T14:36:06.238Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T14:16:37.180

Modified: 2026-06-12T00:59:52.957

Link: CVE-2026-53442

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-10T13:06:02Z

Links: CVE-2026-53442 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T01:30:08Z

Weaknesses
  • CWE-311

    Missing Encryption of Sensitive Data

  • CWE-312

    Cleartext Storage of Sensitive Information