Jenkins patches high-severity plugin flaws tied to path traversal and stored XSS
5 min. read 
Published on
Jenkins has released security updates for seven plugin vulnerabilities that affect widely used CI/CD environments. The advisory includes three High-severity flaws involving path traversal and stored cross-site scripting, plus four Medium-severity issues across other Jenkins plugins.
The most serious issue affects the Credentials Binding Plugin. Tracked as CVE-2026-42520, the flaw can let attackers write files to arbitrary locations on the node filesystem in specific Jenkins configurations.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Jenkins administrators should update the affected plugins quickly, especially in environments where low-privileged users can configure jobs, credentials, GitHub integrations, or published HTML reports.
What Jenkins fixed
The April 29 advisory covers vulnerabilities in Credentials Binding, GitHub, GitHub Branch Source, HTML Publisher, Matrix Authorization Strategy, Microsoft Entra ID, and Script Security plugins.
The High-severity issues affect three plugins. Credentials Binding had a path traversal flaw, while GitHub Plugin and HTML Publisher Plugin had stored XSS vulnerabilities.
The Medium-severity issues involve missing permission checks, unsafe deserialization, unauthorized connection testing, and an open redirect bug that could support phishing attacks.
At a glance
| Plugin | CVE | Severity | Fixed version |
|---|---|---|---|
| Credentials Binding | CVE-2026-42520 | High | 720.v3f6decef43ea_ |
| GitHub Plugin | CVE-2026-42523 | High | 1.46.0.1 |
| HTML Publisher | CVE-2026-42524 | High | 427.1 |
| Script Security | CVE-2026-42519 | Medium | 1402.v94c9ce464861 |
| Matrix Authorization Strategy | CVE-2026-42521 | Medium | 3.2.10 |
| GitHub Branch Source | CVE-2026-42522 | Medium | 1967.1969.v205fd594c821 |
| Microsoft Entra ID | CVE-2026-42525 | Medium | 667.v4c5827a_e74a_0 |
Credentials Binding flaw can lead to file writes
The Credentials Binding Plugin flaw affects versions 719.v80e905ef14eb_ and earlier. Jenkins says the plugin did not sanitize file names for file and zip file credentials.
This can let attackers write files to arbitrary locations on the node filesystem if they can provide credentials to a job. In a risky setup, that can lead to remote code execution on the built-in node.
The attack path depends on configuration. Jenkins says the highest risk appears when a low-privileged user can configure file or zip file credentials used by a job running on the built-in node.
Stored XSS affects GitHub and HTML Publisher plugins
The GitHub Plugin flaw, tracked as CVE-2026-42523, affects versions 1.46.0 and earlier. The plugin improperly processed the current job URL in JavaScript used for validating the “GitHub hook trigger for GITScm polling” feature.
This creates a stored XSS vulnerability that non-anonymous attackers with Overall/Read permission can exploit. Jenkins fixed it in GitHub Plugin 1.46.0.1.
The HTML Publisher Plugin flaw, tracked as CVE-2026-42524, affects versions 427 and earlier. The plugin did not escape job names and URLs in its legacy wrapper file, which allowed stored XSS attacks by users with Item/Configure permission.
HTML Publisher fix has an important detail
Jenkins fixed the HTML Publisher issue in version 427.1. However, the advisory says the fix applies only to newly generated wrappers.
That means administrators should review old published HTML reports and wrappers after updating. Old generated content may still need cleanup or regeneration depending on how each Jenkins instance uses the plugin.
Jenkins also notes that enforcing Content Security Policy protection can mitigate the HTML Publisher XSS issue on Jenkins 2.539 and newer, including LTS 2.541.1 and newer.
Other medium-severity flaws also need attention
- Script Security Plugin: A missing permission check let users with Overall/Read permission enumerate pending and approved classpaths.
- Matrix Authorization Strategy Plugin: Unsafe deserialization could allow attackers with Item/Configure permission to instantiate arbitrary types.
- GitHub Branch Source Plugin: A missing permission check allowed connection tests to attacker-specified URLs with attacker-specified GitHub App credentials.
- Microsoft Entra ID Plugin: An open redirect bug could redirect users to another site after successful Jenkins authentication.
These issues may not carry the same severity rating as the path traversal and stored XSS flaws, but they still matter in shared Jenkins environments.
CI/CD systems often hold credentials, deployment access, signing keys, cloud tokens, and source code. Even a Medium-severity flaw can help attackers gather information or move closer to a more damaging exploit path.
Why Jenkins admins should patch quickly
Jenkins often sits at the center of software delivery pipelines. If attackers compromise Jenkins, they may be able to alter builds, steal secrets, change release artifacts, or tamper with automation jobs.
The Credentials Binding issue deserves special attention because it connects credential handling, job configuration, and filesystem writes. Admins should check whether untrusted or low-privileged users can configure jobs that run on the built-in node.
The stored XSS issues also create risk because Jenkins administrators often view job pages, GitHub trigger settings, and published HTML reports. A successful XSS attack could target privileged users through the Jenkins interface.
Recommended steps
- Update all affected Jenkins plugins to the fixed versions listed in the advisory.
- Review who can configure jobs, credentials, reports, and GitHub integrations.
- Restrict low-privileged users from configuring file or zip file credentials where possible.
- Avoid running untrusted jobs on the built-in Jenkins node.
- Regenerate or review legacy HTML Publisher wrappers after updating the plugin.
- Enable or enforce Content Security Policy protection on supported Jenkins versions.
- Audit Jenkins logs for suspicious job changes, credential activity, and unexpected file writes.
- Review GitHub App credentials used by Jenkins integrations.
Admins should also use the update window to review Jenkins permission models. Several of the patched flaws become more dangerous when users have broader permissions than they need.
Least privilege remains one of the most important defenses for Jenkins. Users should only receive the permissions required for their role, especially in shared CI/CD environments.
FAQ
Jenkins patched seven plugin vulnerabilities in its April 29, 2026 security advisory.
The High-severity flaws are CVE-2026-42520 in Credentials Binding Plugin, CVE-2026-42523 in GitHub Plugin, and CVE-2026-42524 in HTML Publisher Plugin.
Yes, but only in specific configurations. Jenkins says the flaw can lead to remote code execution when low-privileged users can configure file or zip file credentials used by a job running on the built-in node.
Administrators should prioritize Credentials Binding, GitHub Plugin, and HTML Publisher Plugin, then update the remaining affected plugins.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages