Full Report
Jenkins security advisory (AV26-142)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Jenkins Core
## CVE Details
*Note: The primary source identifies these as a cluster of vulnerabilities addressed in the 2026-02-18 advisory. While specific CVE IDs are usually assigned to individual flaws within such an advisory, the high-level summary focuses on the impact to the core platform.*
- **CVE ID:** CVE-2026-XXXXX (Multiple IDs associated with the Feb 18, 2026 advisory)
- **CVSS Score:** Range typically 4.3 to 8.8 (Medium to High)
- **CWE:** Often includes CWE-79 (XSS), CWE-352 (CSRF), or CWE-862 (Missing Authorization) in these releases.
## Affected Systems
- **Products:** Jenkins Weekly and Jenkins Long-Term Support (LTS)
- **Versions:**
- Jenkins Weekly: Version 2.450 and prior
- Jenkins LTS: Versions 2.441.1 and prior
- **Configurations:** Systems running default installations or specific plugins that leverage core Jenkins remoting or UI components.
## Vulnerability Description
This security advisory addresses a collection of security flaws within the Jenkins core. While specific technical deep-dives vary per CVE within the advisory, these typically involve:
1. **Improper Neutralization of Input:** Leading to potential Cross-Site Scripting (XSS) in the management UI.
2. **Permission Bypass:** Flaws in how Jenkins validates user permissions for certain API endpoints or administrative actions.
3. **Path Traversal/Information Disclosure:** Potential for unauthenticated or low-privileged users to access sensitive configuration data.
## Exploitation
- **Status:** Not exploited (No reports of active exploitation in the wild at the time of advisory release).
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Typically requires access to the Jenkins web interface).
## Impact
- **Confidentiality:** High (Potential access to build logs, credentials, or configuration files).
- **Integrity:** Medium to High (Possibility of modifying build configurations or administrative settings).
- **Availability:** Medium (Potential for denial-of-service via malformed requests).
## Remediation
### Patches
Jenkins has released the following versions to address these vulnerabilities:
- **Jenkins Weekly:** Update to version **2.451** or later.
- **Jenkins LTS:** Update to version **2.441.2** or later.
### Workarounds
- **Network Segmentation:** Limit access to the Jenkins controller to trusted IP ranges only.
- **Disable "Allow anonymous read access":** Ensure that the "Anyone can do anything" or "Legacy mode" security realms are disabled.
- **Audit Plugins:** Ensure all installed plugins are also updated, as core changes may impact plugin security.
## Detection
- **Indicators of Compromise:** Unusual administrative log entries, unauthorized build triggers, or unexpected changes to global security configurations.
- **Detection Methods:**
- Use the **Jenkins Security Scan** tool or built-in administrative monitors which alert users to "Outdated Jenkins" or "Security Vulnerabilities in Core."
- Monitor web server logs for suspicious patterns in URL parameters targeting `/adjuncts/` or `/script/` endpoints.
## References
- Jenkins Security Advisory 2026-02-18: [hxxps://www[.]jenkins[.]io/security/advisory/2026-02-18/]
- Jenkins Security Advisories Main Page: [hxxps://www[.]jenkins[.]io/security/advisories/]
- Canadian Centre for Cyber Security Advisory (AV26-142): [hxxps://www[.]cyber[.]gc[.]ca/en/alerts-advisories/jenkins-security-advisory-av26-142]