Description
Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name.
Published: 2026-06-24
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Jenkins Active Directory Plugin 2.41.1 and earlier fails to escape user names before constructing the LDAP search filter when using the Windows native (ADSI) authentication path. This omission permits an attacker to inject LDAP wildcard characters into the filter. As a result, an unauthenticated attacker can enumerate directory entries and, by guessing or knowing a target's password, authenticate as that user without knowing the exact user name.

Affected Systems

The vulnerability affects the Jenkins Active Directory Plugin distributed by the Jenkins Project. Versions 2.41.1 and earlier are impacted.

Risk and Exploitability

The flaw can be exploited through unauthenticated requests to the Jenkins AD authentication endpoint, making the attack surface large. The CVSS score is 3.7, indicating moderate risk. Because unauthenticated users can trigger the injection, the risk is high for environments exposed to the internet or untrusted networks. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog, but the potential for privilege escalation via LDAP injection warrants immediate awareness.

Generated by OpenCVE AI on June 24, 2026 at 21:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Jenkins Active Directory Plugin to the latest available version
  • Implement input validation or sanitization for the username field before it is used in LDAP queries
  • Limit network access to the Jenkins LDAP authentication endpoint to trusted IP ranges or VPNs
  • Monitor Jenkins logs for anomalous LDAP search patterns that include wildcards

Generated by OpenCVE AI on June 24, 2026 at 21:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title LDAP Injection in Jenkins Active Directory Plugin Allows Enumeration and Impersonation

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title LDAP Wildcard Injection in Jenkins Active Directory Plugin Allows unauthenticated Enumeration and Impersonation
First Time appeared Jenkins Project
Jenkins Project jenkins Active Directory Plugin
Weaknesses CWE-83
Vendors & Products Jenkins Project
Jenkins Project jenkins Active Directory Plugin

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Title LDAP Wildcard Injection in Jenkins Active Directory Plugin Allows unauthenticated Enumeration and Impersonation
Weaknesses CWE-83
CWE-90
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name.
References

Subscriptions

Jenkins Project Jenkins Active Directory Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T14:14:28.743Z

Reserved: 2026-06-24T08:41:44.358Z

Link: CVE-2026-57288

cve-icon Vulnrichment

Updated: 2026-06-24T14:14:24.709Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:30:04Z

Weaknesses
  • CWE-90

    Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')