Description
A cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds.
Published: 2026-05-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A CSRF vulnerability in the Jenkins Multijob Plugin permits an attacker who can send a crafted request to a logged‑in user to resume a previously failed multijob build. The unauthorized resumption can trigger downstream steps or cause unintended job executions, potentially compromising the integrity of continuous‑integration pipelines. The flaw does not provide arbitrary code execution but may lead to accidental or malicious re‑execution of jobs that were intended to fail.

Affected Systems

The vulnerability affects Jenkins Multijob Plugin versions 662.vd2e0001f6b_b_d and older. These plugin versions are deployed in Jenkins automation environments where multiple job executions are orchestrated together.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. Because the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the likelihood of exploitation remains uncertain. Based on the description, the likely attack vector involves a remote attacker submitting a crafted HTTP request that bypasses CSRF protection; the inference is that the attacker would need to target an authenticated Jenkins user with permissions to resume builds.

Generated by OpenCVE AI on May 27, 2026 at 22:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins Multijob Plugin to the latest version that contains the CSRF fix.
  • Enable Jenkins’s global CSRF protection and configure the CSRF security realm appropriately.
  • Restrict the users or roles that have permission to resume failed builds to limit the impact of an unauthorized request.

Generated by OpenCVE AI on May 27, 2026 at 22:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Multijob Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Multijob Plugin

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins multijob
CPEs cpe:2.3:a:jenkins:multijob:*:*:*:*:*:jenkins:*:*
Vendors & Products Jenkins
Jenkins multijob

Wed, 27 May 2026 23:00:00 +0000

Type Values Removed Values Added
Title CSRF Exploit Enables Unauthorized Resumption of Failed Jenkins Multijob Builds

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds.
References

Subscriptions

Jenkins Multijob
Jenkins Project Jenkins Multijob Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-05-27T15:19:37.636Z

Reserved: 2026-05-27T06:41:59.056Z

Link: CVE-2026-9674

cve-icon Vulnrichment

Updated: 2026-05-27T15:19:30.808Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T15:16:36.080

Modified: 2026-05-28T16:51:11.540

Link: CVE-2026-9674

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:21:48Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)