Critical Jenkins CVE-2026-27099 Exposes CI/CD Pipelines to Stored XSS Attacks
3 min. read 
Published on
Jenkins core contains two vulnerabilities including high-severity stored XSS tracked as CVE-2026-27099. Attackers with Agent/Configure or Agent/Disconnect permissions inject JavaScript via node offline descriptions. Builds and admin panels face session hijacking risks.
The XSS flaw affects Jenkins 2.483 through 2.550 and LTS 2.492.1 through 2.541.1. Since version 2.483, offline cause fields accepted HTML. Vulnerable releases failed to escape user input properly. Malicious scripts execute when admins view agent status pages.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
CVE-2026-27100 adds medium-risk build information disclosure. Attackers query Run Parameter values for unauthorized job details. Both flaws disclosed via Jenkins Bug Bounty Program sponsored by European Commission. Fixed versions 2.551 and LTS 2.541.2 escape inputs correctly.
Affected Versions Table
| Release Type | Vulnerable Range | Fixed Versions |
|---|---|---|
| Weekly | 2.483 to 2.550 inclusive | 2.551+ |
| LTS | 2.492.1 to 2.541.1 inclusive | 2.541.2+ |
Check via Manage Jenkins > System Information.
CVE-2026-27099 Attack Flow
Attackers follow these steps:
- Gain Agent/Configure or Agent/Disconnect permissions.
- Mark node offline withÂ
<script>alert('XSS')</script>Â payload. - Admins viewing agent status execute script in browsers.
- Steal CSRF tokens, session cookies, or trigger builds.
Permissions often granted to service accounts.
CVE-2026-27100 Info Leak
Medium severity disclosure via Run Parameters:
- Query builds/jobs without Item/Read permission.
- Fingerprint existence of private projects.
- Enumerate build numbers and parameters.
- Map CI/CD pipeline structure.
Fixed by rejecting unauthorized parameter access.
Immediate Mitigation Steps
Apply patches now:
- Upgrade to Jenkins 2.551 or LTS 2.541.2.
- Enable Content Security Policy (CSP) on 2.539+.
- Revoke unnecessary Agent/Configure permissions.
- Audit offline node descriptions for payloads.
Restart post-upgrade activates fixes.
Permission Risk Assessment
| Permission | Risk Level | Mitigation |
|---|---|---|
| Agent/Configure | High | Restrict to admins |
| Agent/Disconnect | High | Service account only |
| Overall/Administer | Critical | Multi-factor auth |
Review RBAC immediately.
Partial CSP Protection
Jenkins 2.539+ with CSP blocks inline scripts partially:
- StopsÂ
<script>Â tags from executing. - Allows inline styles and some attributes.
- Event handlers likeÂ
onerror may work.
Full patching required for complete defense.
Supply Chain Impact
Compromised Jenkins instances enable:
- Malicious builds injecting trojanized artifacts.
- Credential theft from build secrets.
- Pipeline sabotage during deployments.
- Lateral movement to container registries.
DevOps golden images at risk.
Patch Verification Checklist
Confirm remediation status:
- Version shows 2.551 or 2.541.2+ in footer.
- Test XSS payload fails in offline description.
- Run parameter queries return 403 for unauthorized jobs.
- CSP headers present in HTTP responses.
Automate via health checks.
FAQ
Agent/Configure or Agent/Disconnect.
2.551 (weekly), 2.541.2 (LTS).
Partially since 2.539. Full patch required.
Job/build existence, Run Parameter values.
No public PoCs reported as of February 22, 2026.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages