A missing permission check in the Jenkins EC2 Fleet Plugin allows a user with only Overall/Read access to instruct the plugin to connect to any URL that the attacker provides. By supplying a credentials ID that the attacker has acquired elsewhere, the plugin will use that ID to authenticate to the target, resulting in the exfiltration of any AWS credentials stored in Jenkins. This flaw enables an attacker to obtain privileged AWS access without requiring elevated Jenkins permissions, compromising the confidentiality of cloud credentials and potentially all resources associated with them.

The Jenkins EC2 Fleet Plugin versions 4.2.3.539.v8fedff2a_81c3 and all earlier releases are affected. Deployments using these plugin versions are vulnerable regardless of other Jenkins components.

The CVSS score is 5.4, and the EPSS score is unavailable, so the quantitative risk is moderate. The attack only needs Overall/Read privilege—common in many Jenkins installations—and a valid credentials ID, which can be obtained by other means. Because the exploit is a simple outbound request to an attacker‑supplied URL, it can be carried out from any network host that can reach the Jenkins instance. The vulnerability is not listed in the CISA KEV catalog, indicating no publicized exploitation yet, but the potential to expose AWS credentials represents a moderate‑to‑high impact risk.