Critical Vulnerabilities Discovered in Jenkins Plugins
Severity: High (Score: 72.0)
Sources: Nvd.Nist, cve.org
Published: · Updated:
Keywords: credentials, file, attackers, detail, jenkins, plugin, earlier
Severity indicators: credentials, CVE:CVE-2026-48922, CVE:CVE-2026-48922
Summary
Two significant vulnerabilities have been identified in Jenkins plugins, CVE-2026-48922 and CVE-2026-48925. The Jenkins Credentials Binding Plugin allows attackers to write files to arbitrary locations, potentially leading to remote code execution. This affects versions 720.v3f6decef43ea_ and earlier. The second vulnerability, CVE-2026-48925, is a cross-site request forgery (CSRF) flaw in the Jenkins GitHub Integration Plugin, enabling attackers to trigger builds for pull requests. Both vulnerabilities were published on May 27, 2026, and pose serious risks to Jenkins users. Immediate action is recommended to mitigate these threats. Key Points: • CVE-2026-48922 allows remote code execution via the Credentials Binding Plugin. • CVE-2026-48925 enables CSRF attacks in the GitHub Integration Plugin. • Both vulnerabilities were published on May 27, 2026, and require urgent attention.
Detailed Analysis
**Impact** Organizations using Jenkins with the Credentials Binding Plugin version 720.v3f6decef43ea_ or earlier and the GitHub Integration Plugin version 0.7.3 or earlier are affected. The Credentials Binding Plugin vulnerability allows attackers with job credential access to write files arbitrarily on the node filesystem, potentially leading to remote code execution. The GitHub Integration Plugin vulnerability enables attackers to trigger unauthorized builds via CSRF. No specific sectors, geographies, or data volumes are provided. **Technical Details** CVE-2026-48922 involves improper sanitization of file names in the Jenkins Credentials Binding Plugin, exploited by attackers able to supply credentials to jobs, enabling arbitrary file writes and possible remote code execution on the built-in node. CVE-2026-48925 is a CSRF vulnerability in the Jenkins GitHub Integration Plugin allowing attackers to trigger builds for pull requests. No malware, tools, or infrastructure details are provided. Both vulnerabilities impact the execution and build stages of the kill chain. **Recommended Response** Apply patches to update Jenkins Credentials Binding Plugin beyond version 720.v3f6decef43ea_ and GitHub Integration Plugin beyond version 0.7.3 immediately. Restrict job configuration permissions to trusted users only and implement CSRF protections. Monitor for unusual file writes on Jenkins nodes and unauthorized build triggers. No specific IOCs are available for detection or blocking.
Source articles (4)
- CVE-2026-48925 Detail — Nvd.Nist · 2026-05-28
A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows attackers to attackers to trigger a build for a pull request. Denotes Vulnerable Softwar… - CVE-2026-48922 Detail — Nvd.Nist · 2026-05-28
Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to wr… - CVE-2026-48925 — cve.org · 2026-05-28
- CVE-2026-48922 — cve.org · 2026-05-28
Timeline
- 2026-05-27 — CVE-2026-48922 published: A vulnerability in the Jenkins Credentials Binding Plugin allows arbitrary file writing, risking remote code execution.
- 2026-05-27 — CVE-2026-48925 published: A CSRF vulnerability in the Jenkins GitHub Integration Plugin allows unauthorized build triggers for pull requests.
- 2026-05-28 — Security advisory issued: Jenkins users are advised to update their plugins immediately to mitigate the identified vulnerabilities.
CVEs
Related entities
- Cross-site request forgery (Vulnerability)
- CWE-22 - Path Traversal (Cwe)
- Cwe-352 - Cross-Site Request Forgery (csrf) (Cwe)
- Jenkins (Platform)