Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27100

CVE-2026-27100: Jenkins Information Disclosure Vulnerability

CVE-2026-27100 is an information disclosure vulnerability in Jenkins that allows attackers to obtain information about jobs and builds they shouldn't access. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-27100 Overview

CVE-2026-27100 is an information disclosure vulnerability in Jenkins that allows attackers with Item/Build and Item/Configure permissions to enumerate information about jobs and builds they should not have access to. The vulnerability exists in how Jenkins processes Run Parameter values, accepting references to builds that the submitting user does not have authorization to view.

Critical Impact

Attackers can discover the existence of jobs, builds, and build display names within the Jenkins instance, potentially exposing sensitive project information and organizational structure.

Affected Products

  • Jenkins 2.550 and earlier
  • Jenkins LTS 2.541.1 and earlier

Discovery Timeline

  • 2026-02-18 - CVE CVE-2026-27100 published to NVD
  • 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2026-27100

Vulnerability Analysis

This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw allows users with limited permissions (Item/Build and Item/Configure) to probe the Jenkins instance for information about jobs and builds they are not authorized to access.

When a user submits a build with Run Parameter values, Jenkins fails to properly validate whether the user has permission to access the referenced builds. This allows an attacker to enumerate the existence of jobs, determine whether specific builds exist, and retrieve build display names—all without proper authorization.

The attack can be performed remotely over the network and requires low-privilege access to the Jenkins instance. While no data integrity or availability impact exists, the confidentiality breach can reveal organizational structure, project names, and build identifiers that may be leveraged for further attacks.

Root Cause

The root cause is insufficient authorization checks when processing Run Parameter values that reference other builds. Jenkins accepts these parameter values without validating that the submitting user has the necessary permissions to view the referenced build objects, leading to an authorization bypass for information retrieval.

Attack Vector

An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by:

  1. Creating or modifying a job to include Run Parameters
  2. Submitting build requests with Run Parameter values referencing builds in jobs they cannot access
  3. Observing the response to determine if the referenced job/build exists
  4. Extracting display names from builds when they exist

The vulnerability is exploitable over the network without user interaction. The attacker requires authenticated access with specific permissions but can access information outside their authorized scope.

Detection Methods for CVE-2026-27100

Indicators of Compromise

  • Unusual patterns of build submissions with Run Parameter values referencing various job paths
  • Users with Item/Build permissions submitting builds that reference jobs outside their normal scope
  • Audit logs showing parameter values containing systematic job/build path enumeration patterns

Detection Strategies

  • Monitor Jenkins audit logs for build submissions with Run Parameters referencing jobs the user doesn't have Item/Read permission for
  • Implement alerting on patterns of failed or anomalous build parameter submissions
  • Review access logs for users systematically probing job paths through parameter values

Monitoring Recommendations

  • Enable and centralize Jenkins security audit logging
  • Configure alerts for unusual Run Parameter submission patterns
  • Regularly review user permissions and access patterns in Jenkins
  • Implement rate limiting on build submissions where feasible

How to Mitigate CVE-2026-27100

Immediate Actions Required

  • Upgrade Jenkins to a patched version beyond 2.550 (weekly) or 2.541.1 (LTS)
  • Review and restrict Item/Build and Item/Configure permissions to only trusted users
  • Audit existing jobs for Run Parameter configurations that may have been exploited
  • Enable enhanced audit logging to detect any exploitation attempts

Patch Information

Jenkins has addressed this vulnerability in versions after 2.550 (weekly) and 2.541.1 (LTS). Organizations should update to the latest available version. For detailed patch information, refer to the Jenkins Security Advisory 2026-02-18.

Workarounds

  • Restrict Item/Build and Item/Configure permissions using Jenkins Role-Based Access Control
  • Implement strict job isolation using folder-based permissions
  • Consider using Project-based Matrix Authorization Strategy to limit cross-project parameter references
  • Remove Run Parameters from jobs where they are not strictly necessary
bash
# Review users with Item/Build and Item/Configure permissions
# In Jenkins Script Console, run:
# Jenkins.instance.getAllItems(Job.class).each { job ->
#   def acl = job.getACL()
#   println "Job: ${job.fullName}"
#   // Review permissions for this job
# }

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne