Description
A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb_2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Jenkins MCP Server Plugin fails to enforce a permission check when a user requests the replay scripts for a pipeline. Because the plugin relies on the Item/Read permission granted to the user, anyone who can read a job can also download the entire script that defines the job's pipeline. This leak exposes the build logic stored in the script and creates an information‑disclosure weakness, which can be classified as improper access control (CWE‑284).

Affected Systems

All installations of the Jenkins MCP Server Plugin version 0.177 and earlier are affected. The plugin is distributed as part of the Jenkins Project ecosystem. Administrators should verify the version in use and consider moving to a more recent release if one is available.

Risk and Exploitability

The CVSS score is 4.3, EPSS score is not available, making it hard to assess the exploitation likelihood. Because the issue is not listed in the CISA KEV catalog, there are no confirmed public exploits at this time. The likely attack vector involves a user who already has Item/Read permission to a job; such a user can invoke the plugin’s API to retrieve the replay script if the endpoint is reachable. The weak authorization allows the attacker to exfiltrate the referenced script files.

Generated by OpenCVE AI on June 24, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a newer release of the Jenkins MCP Server Plugin if one is available.
  • Restrict the Item/Read permission to trusted users or remove it from users who do not need direct access to job definitions.
  • Disable or remove the replay script functionality if it is not required, or configure the plugin to enforce stricter access controls on script retrieval.

Generated by OpenCVE AI on June 24, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title Missing Permission Check Exposes Pipeline Replay Scripts in Jenkins MCP Server Plugin
Weaknesses CWE-284

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Title Missing Permission Check Exposes Pipeline Replay Scripts in Jenkins MCP Server Plugin
Weaknesses CWE-284
CWE-862
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb_2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T14:36:37.590Z

Reserved: 2026-06-24T08:41:44.359Z

Link: CVE-2026-57300

cve-icon Vulnrichment

Updated: 2026-06-24T14:35:31.557Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T17:00:13Z

Weaknesses