Description
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.
Published: 2026-06-10
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability permits credentials submitted via POST config.xml to be stored unencrypted in job configuration files on the Jenkins controller. Those files can be accessed by users with Item/Extended Read rights or by anyone who can read the controller filesystem, allowing them to view sensitive information. The weakness is a classic case of storing secrets in plaintext (CWE‑311).

Affected Systems

All Jenkins Project Jenkins releases up to version 2.567, and Long‑Term Support releases up to 2.555.2, are affected. Any job configuration files generated by these versions may contain unencrypted credentials. Administrators should review deployments running within these version ranges to assess exposure.

Risk and Exploitability

The CVSS score is not provided in the advisory, and no EPSS score is available. The vulnerability can be exploited by any actor who possesses Item/Extended Read permission or who can read the Jenkins controller filesystem. The attack vector is inferred to be internal to the Jenkins environment, either local or remote, depending on network exposure. Given the potential for credential theft, the risk is significant and warrants immediate attention. The vulnerability is not listed in CISA's KEV catalogue.

Generated by OpenCVE AI on June 10, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jenkins to a release in which this issue has been resolved.
  • If an upgrade is not possible, restrict the Item/Extended Read permission to trusted users only and protect the controller filesystem from unauthorized access.
  • Reconfigure jobs to use Jenkins’ credential store instead of embedding secrets in config.xml, ensuring encryption.

Generated by OpenCVE AI on June 10, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins
Vendors & Products Jenkins Project
Jenkins Project jenkins

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.
References

Subscriptions

Jenkins Project Jenkins
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-10T14:36:51.655Z

Reserved: 2026-06-09T14:26:44.789Z

Link: CVE-2026-53442

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:37.180

Modified: 2026-06-10T14:16:37.180

Link: CVE-2026-53442

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses

No weakness.