Description
A cross-site request forgery (CSRF) vulnerability in Jenkins Priority Sorter Plugin 936.v2c01c6b_84449 and earlier allows attackers to overwrite the global job priority configuration.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑site request forgery in Jenkins Priority Sorter Plugin versions up to 936.v2c01c6b_84449 permits an attacker to overwrite the global job priority configuration. By forging authenticated requests, a malicious user can modify how jobs are scheduled across the entire Jenkins instance, potentially altering build order and resource allocation. This is a configuration‑control weakness (CWE‑352) that could lead to denial of service or unfair scheduling advantages.

Affected Systems

The vulnerability affects the Jenkins Priority Sorter Plugin under the Jenkins Project. Versions 936.v2c01c6b_84449 and earlier are vulnerable; all other Jenkins plugins and core components are not directly affected.

Risk and Exploitability

No EPSS score has been published and the issue is not included in CISA KEV, suggesting limited public exploitation to date. However, the flaw requires an attacker to be able to send forged requests, typically meaning they possess an authenticated session or can hijack browser state. Given the potential to disrupt CI/CD pipelines and the lack of mitigations in the affected plugin, the risk level should be treated as moderate to high until a patched version is applied. The CVSS score of 4.3 indicates moderate severity.

Generated by OpenCVE AI on June 24, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins Priority Sorter Plugin to the latest version released by the maintainers, which addresses the CSRF vulnerability.
  • Restrict the access to the plugin’s configuration settings so that only trusted administrators can modify job priorities; consider using Jenkins matrix‑based security or role‑based access control.
  • Ensure that the Jenkins instance has CSRF protection enabled. If not, enable the CSRF prevention feature in the global Jenkins configuration or add a CSRF filter that applies to requests affecting the Priority Sorter Plugin.

Generated by OpenCVE AI on June 24, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title Priority Sorter Plugin CSRF Leading to Overwrite of Global Job Priority Configuration

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Title Priority Sorter Plugin CSRF Leading to Overwrite of Global Job Priority Configuration
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description A cross-site request forgery (CSRF) vulnerability in Jenkins Priority Sorter Plugin 936.v2c01c6b_84449 and earlier allows attackers to overwrite the global job priority configuration.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T15:11:51.183Z

Reserved: 2026-06-24T08:41:44.358Z

Link: CVE-2026-57290

cve-icon Vulnrichment

Updated: 2026-06-24T15:11:47.457Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T17:00:13Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)