CVE-2026-10276 Overview
CVE-2026-10276 is a server-side request forgery (SSRF) vulnerability in hekmon8 Jenkins-server-mcp version 0.1.0. The flaw resides in the jobPath function within src/index.ts, affecting the get_build_status, get_build_log, and trigger_build components of this Model Context Protocol (MCP) server for Jenkins. Attackers can manipulate the jobPath parameter remotely to coerce the server into issuing unintended HTTP requests. The exploit details have been disclosed publicly. The project maintainer was notified via a GitHub issue but has not responded at the time of disclosure.
Critical Impact
Authenticated remote attackers can abuse the MCP server to issue server-side requests to arbitrary endpoints, potentially reaching internal Jenkins resources and adjacent network services.
Affected Products
- hekmon8 Jenkins-server-mcp 0.1.0
- Components: get_build_status, get_build_log, trigger_build
- File: src/index.ts, function jobPath
Discovery Timeline
- 2026-06-01 - CVE-2026-10276 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-10276
Vulnerability Analysis
The vulnerability is classified under [CWE-918] Server-Side Request Forgery. Jenkins-server-mcp is a Model Context Protocol server that exposes Jenkins build operations to MCP-compatible clients. The jobPath argument received by the get_build_status, get_build_log, and trigger_build tools is concatenated into outbound HTTP requests sent by the server.
Because the jobPath value is not validated against an allowlist or constrained to legitimate Jenkins job paths, an attacker controlling this input can redirect the outbound request. The request originates from the MCP server process, inheriting any trust the host network grants it. Exploitation requires low privileges and no user interaction.
Root Cause
The root cause is missing input validation on the jobPath parameter inside src/index.ts. The function builds a URL using attacker-controlled input without verifying that the resulting target is the intended Jenkins instance or sanitizing path traversal sequences. This allows the URL to be redirected to internal services, alternate hosts, or unintended Jenkins endpoints.
Attack Vector
The attack is performed remotely over the network through MCP tool invocations. An attacker supplies a crafted jobPath value when calling get_build_status, get_build_log, or trigger_build. The server then issues an HTTP request using the manipulated path. This request can be directed at internal cloud metadata endpoints, intranet hosts, or other Jenkins API routes the server has access to. Refer to the VulDB Vulnerability Details and the GitHub Issue Discussion for additional technical context.
Detection Methods for CVE-2026-10276
Indicators of Compromise
- Outbound HTTP requests from the Jenkins-server-mcp process to hosts other than the configured Jenkins server.
- MCP tool invocations containing suspicious jobPath values with URL schemes, IP literals, or path traversal sequences such as ../.
- Unexpected requests to cloud metadata endpoints (for example, 169.254.169.254) originating from the MCP host.
Detection Strategies
- Inspect MCP server logs for get_build_status, get_build_log, and trigger_build calls with anomalous jobPath values.
- Compare the destination of outbound HTTP requests from the MCP process against an allowlist of expected Jenkins endpoints.
- Apply static analysis to src/index.ts to confirm whether jobPath is sanitized before URL construction.
Monitoring Recommendations
- Enable verbose logging in the MCP server and forward logs to a centralized SIEM for analysis.
- Monitor egress traffic from the MCP host and alert on connections to internal RFC1918 ranges or cloud metadata IPs.
- Track failed and unusual HTTP response codes returned to MCP clients, which may indicate probing of internal services.
How to Mitigate CVE-2026-10276
Immediate Actions Required
- Restrict network access to the Jenkins-server-mcp instance so that only trusted MCP clients can invoke tools.
- Run the MCP server in a network segment that cannot reach cloud metadata services or sensitive internal hosts.
- Disable or remove the affected MCP server until a vendor patch is available if SSRF risk is unacceptable.
Patch Information
No official patch is available. According to the VulDB CVE Entry, the maintainer was notified through a GitHub Issue Discussion but has not responded. Track the GitHub PoC Repository for upstream fixes.
Workarounds
- Fork the project and patch src/index.ts to validate jobPath against a strict allowlist of permitted Jenkins job names.
- Place the MCP server behind an egress proxy that only permits connections to the legitimate Jenkins host and port.
- Enforce least-privilege credentials for the Jenkins API token used by the MCP server to limit blast radius.
- Reject jobPath inputs containing schemes (http://, file://), IP literals, or traversal characters before request construction.
# Configuration example: restrict egress with iptables to a single Jenkins host
iptables -A OUTPUT -m owner --uid-owner mcp -d jenkins.internal.example.com -p tcp --dport 8080 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner mcp -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

