The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-47884

CVE-2025-47884: Jenkins OpenID Connect Auth Bypass Flaw

CVE-2025-47884 is an authentication bypass vulnerability in Jenkins OpenID Connect Provider Plugin that lets attackers impersonate trusted jobs and gain unauthorized access. This article covers technical details, affected versions, and mitigations.

Published: March 31, 2026

CVE-2025-47884 Overview

A critical improper access control vulnerability exists in the Jenkins OpenID Connect Provider Plugin version 96.vee8ed882ec4d and earlier. The flaw stems from the build ID Token generation mechanism, which utilizes potentially overridden values of environment variables. When combined with certain other plugins, this vulnerability allows attackers with job configuration privileges to craft malicious build ID Tokens that impersonate trusted jobs, potentially gaining unauthorized access to external services that rely on these tokens for authentication.

Critical Impact

Attackers able to configure Jenkins jobs can forge build ID Tokens to impersonate trusted jobs, enabling unauthorized access to external services and potentially compromising the entire CI/CD pipeline trust model.

Affected Products

  • Jenkins OpenID Connect Provider Plugin version 96.vee8ed882ec4d and earlier
  • Jenkins installations using OpenID Connect Provider Plugin with job configuration access

Discovery Timeline

  • May 14, 2025 - CVE-2025-47884 published to NVD
  • June 12, 2025 - Last updated in NVD database

Technical Details for CVE-2025-47884

Vulnerability Analysis

This vulnerability falls under CWE-284 (Improper Access Control), affecting how the Jenkins OpenID Connect Provider Plugin generates and validates build ID Tokens. The core issue lies in the token generation process, which relies on environment variable values that can be manipulated by users with job configuration permissions.

In Jenkins CI/CD environments, build ID Tokens serve as authentication credentials that external services use to verify the identity and trustworthiness of Jenkins jobs. These tokens typically contain claims about the job name, build number, and other identifying information that external systems rely upon for authorization decisions.

The vulnerability allows an attacker with access to configure jobs to inject overridden environment variable values into the token generation process. This manipulation can result in tokens that falsely represent the job's identity, effectively allowing a less-trusted job to masquerade as a more privileged one.

Root Cause

The root cause of this vulnerability is the plugin's reliance on environment variables for constructing build ID Token claims without adequately verifying whether these values have been tampered with or overridden. Jenkins plugins can modify environment variables during the build process, and the OpenID Connect Provider Plugin fails to distinguish between legitimate system-provided values and potentially malicious user-supplied overrides.

This design flaw creates a trust boundary violation where user-controlled input directly influences security-sensitive token claims that external services depend upon for access control decisions.

Attack Vector

The attack vector requires network access and low-privilege authentication to Jenkins with job configuration permissions. An attacker would:

  1. Gain access to configure a Jenkins job (directly or through another vulnerability)
  2. Configure the job to override specific environment variables used in token generation
  3. Trigger a build that generates a fraudulent ID Token
  4. Use the forged token to authenticate to external services as a trusted job

The vulnerability has a changed scope, meaning successful exploitation impacts resources beyond the vulnerable component itself—specifically, the external services that trust these ID Tokens for authentication and authorization decisions.

The attack mechanism involves manipulating environment variable values that the OpenID Connect Provider Plugin uses when constructing JWT claims. By controlling these values, an attacker can craft tokens with arbitrary claims, effectively impersonating any job in the Jenkins instance. External services that validate these tokens based on job names or other claims would grant access based on the forged identity. Detailed technical information is available in the Jenkins Security Advisory SECURITY-3574.

Detection Methods for CVE-2025-47884

Indicators of Compromise

  • Unexpected job configuration changes, particularly those modifying environment variables
  • Build ID Tokens with mismatched claims compared to the actual job executing the build
  • Unusual access patterns to external services from Jenkins, especially from jobs that shouldn't have such access
  • Audit log entries showing environment variable modifications in sensitive jobs

Detection Strategies

  • Review Jenkins job configurations for suspicious environment variable overrides that could affect token generation
  • Implement token validation on receiving services to cross-verify claims against expected job identities
  • Monitor Jenkins audit logs for configuration changes to jobs interacting with external services
  • Compare build ID Token claims against the actual job metadata in Jenkins

Monitoring Recommendations

  • Enable comprehensive audit logging in Jenkins to track all job configuration changes
  • Implement alerting on external services for authentication attempts from unexpected job identities
  • Regularly audit which users have job configuration permissions and restrict to minimum necessary
  • Monitor for plugins that could enable environment variable manipulation in conjunction with OpenID Connect Provider

How to Mitigate CVE-2025-47884

Immediate Actions Required

  • Update Jenkins OpenID Connect Provider Plugin to the latest patched version immediately
  • Review and restrict job configuration permissions to trusted administrators only
  • Audit existing job configurations for suspicious environment variable overrides
  • Implement additional validation on external services that consume build ID Tokens

Patch Information

Jenkins has released a security update addressing this vulnerability. Administrators should update the OpenID Connect Provider Plugin to the latest available version. For detailed patch information and remediation guidance, refer to the Jenkins Security Advisory SECURITY-3574.

Workarounds

  • Restrict job configuration permissions using Jenkins' Role-Based Access Control to limit who can modify jobs
  • Implement additional claim validation on external services to verify token authenticity against known job characteristics
  • Consider temporarily disabling the OpenID Connect Provider Plugin until patching is complete if external service access is not critical
  • Use Jenkins Pipeline shared libraries with @Library to prevent arbitrary environment variable manipulation in critical jobs
bash
# Review current OpenID Connect Provider Plugin version
# Navigate to: Manage Jenkins > Manage Plugins > Installed
# Or use Jenkins CLI:
java -jar jenkins-cli.jar -s http://jenkins-server/ list-plugins | grep openid-connect-provider

# Update plugin via CLI
java -jar jenkins-cli.jar -s http://jenkins-server/ install-plugin openid-connect-provider -restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechJenkins
  • SeverityCRITICAL
  • CVSS Score9.1
  • EPSS Probability0.93%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-284
  • Vendor Resources
  • Jenkins Security Advisory SECURITY-3574
  • Related CVEs
  • CVE-2026-33002: Jenkins Auth Bypass Vulnerability
  • CVE-2025-47889: Jenkins WSO2 Oauth Auth Bypass Flaw
  • CVE-2025-24399: Jenkins OpenID Connect Auth Bypass Flaw
  • CVE-2025-32754: Jenkins Ssh-agent Auth Bypass Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English