In a recent security advisory, significant vulnerabilities have been uncovered within Jenkins Core that could expose build environments to severe cross-site scripting (XSS) attacks. These vulnerabilities, identified as CVE-2026-27099 and CVE-2026-27100, were responsibly disclosed through the Jenkins Bug Bounty Program, with support from the European Commission.
Understanding the Critical Vulnerabilities
The most critical vulnerability, CVE-2026-27099, is a high-severity stored XSS flaw affecting Jenkins versions 2.550 and earlier, including LTS versions up to 2.541.1. This flaw arises from improper handling of ‘offline cause descriptions’ in Jenkins, allowing for HTML content that could be maliciously manipulated. As a result, attackers with specific permissions could inject harmful JavaScript, compromising user sessions.
Jenkins has addressed this issue in versions 2.551 and LTS 2.541.2 by ensuring that user-supplied input is properly escaped, thus mitigating the risk of such attacks. Moreover, instances with Content Security Policy (CSP) enforcement from version 2.539 onwards have partial protection against these vulnerabilities.
Additional Vulnerability in Run Parameters
The second vulnerability, CVE-2026-27100, is rated as medium severity and relates to the handling of Run Parameter values in Jenkins. This flaw allowed unauthorized users to query builds or jobs, leading to potential information disclosure. Jenkins versions up to 2.550 and LTS 2.541.1 were affected, enabling attackers to ascertain the existence of projects or builds without proper permissions.
To counter this, Jenkins versions 2.551 and LTS 2.541.2 have implemented improved security measures to reject unauthorized Run Parameter values, thereby preventing data leakage.
Recommendations for Jenkins Users
It is strongly advised that Jenkins administrators update their systems to versions 2.551 or LTS 2.541.2 to protect against these vulnerabilities. Failing to update leaves builds susceptible to script injection and unauthorized information exposure. Ensuring the latest security updates are applied is crucial for maintaining a secure Jenkins environment.
For ongoing cybersecurity updates, follow us on Google News, LinkedIn, and X. Reach out if you wish to feature your security stories.
