Description
A missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing permission check in the Jenkins GitHub Branch Source Plugin allows users with Overall/Read permission to read the URLs of GitHub Enterprise servers that are configured in the global plugin configuration. The vulnerability results in the disclosure of potentially sensitive connection details that could be used to locate and possibly connect to corporate GitHub Enterprise instances.

Affected Systems

The Jenkins Project’s GitHub Branch Source Plugin, versions prior to 1967.1969.v205fd594c821, is affected. Any Jenkins installation that uses this plugin and has GitHub Enterprise servers configured for use by the plugin is susceptible.

Risk and Exploitability

The issue is a pure privilege escalation of existing read rights; attackers need only possess a normal Read account, which is a common role. No additional exploitation steps are disclosed. The CVSS score is not provided, the EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the ability to learn internal GitHub Enterprise URLs is a moderate to high risk to confidentiality, especially in environments where the URLs themselves reveal network topology or enable other attack vectors.

Generated by OpenCVE AI on June 24, 2026 at 15:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins GitHub Branch Source Plugin to a version newer than 1967.1969.v205fd594c821.
  • Restrict the Overall/Read permission to trusted personnel only, or remove the ability for Read accounts to view plugin configuration where possible.
  • Audit Jenkins instances for exposed plugin configuration and verify that no unauthorized users have read access to the GitHub Branch Source settings.

Generated by OpenCVE AI on June 24, 2026 at 15:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Github Branch Source Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Github Branch Source Plugin

Wed, 24 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Missing Permission Check Exposes GitHub Enterprise Server URLs in Jenkins GitHub Branch Source Plugin
Weaknesses CWE-284

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description A missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration.
References

Subscriptions

Jenkins Project Jenkins Github Branch Source Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T14:02:32.219Z

Reserved: 2026-06-24T08:41:44.357Z

Link: CVE-2026-57285

cve-icon Vulnrichment

Updated: 2026-06-24T14:02:28.337Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T17:00:13Z

Weaknesses