CVE-2026-27100 Overview
CVE-2026-27100 is an information disclosure vulnerability in Jenkins that allows attackers with Item/Build and Item/Configure permissions to enumerate information about jobs and builds they should not have access to. The vulnerability exists in how Jenkins processes Run Parameter values, accepting references to builds that the submitting user does not have authorization to view.
Critical Impact
Attackers can discover the existence of jobs, builds, and build display names within the Jenkins instance, potentially exposing sensitive project information and organizational structure.
Affected Products
- Jenkins 2.550 and earlier
- Jenkins LTS 2.541.1 and earlier
Discovery Timeline
- 2026-02-18 - CVE CVE-2026-27100 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-27100
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw allows users with limited permissions (Item/Build and Item/Configure) to probe the Jenkins instance for information about jobs and builds they are not authorized to access.
When a user submits a build with Run Parameter values, Jenkins fails to properly validate whether the user has permission to access the referenced builds. This allows an attacker to enumerate the existence of jobs, determine whether specific builds exist, and retrieve build display names—all without proper authorization.
The attack can be performed remotely over the network and requires low-privilege access to the Jenkins instance. While no data integrity or availability impact exists, the confidentiality breach can reveal organizational structure, project names, and build identifiers that may be leveraged for further attacks.
Root Cause
The root cause is insufficient authorization checks when processing Run Parameter values that reference other builds. Jenkins accepts these parameter values without validating that the submitting user has the necessary permissions to view the referenced build objects, leading to an authorization bypass for information retrieval.
Attack Vector
An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by:
- Creating or modifying a job to include Run Parameters
- Submitting build requests with Run Parameter values referencing builds in jobs they cannot access
- Observing the response to determine if the referenced job/build exists
- Extracting display names from builds when they exist
The vulnerability is exploitable over the network without user interaction. The attacker requires authenticated access with specific permissions but can access information outside their authorized scope.
Detection Methods for CVE-2026-27100
Indicators of Compromise
- Unusual patterns of build submissions with Run Parameter values referencing various job paths
- Users with Item/Build permissions submitting builds that reference jobs outside their normal scope
- Audit logs showing parameter values containing systematic job/build path enumeration patterns
Detection Strategies
- Monitor Jenkins audit logs for build submissions with Run Parameters referencing jobs the user doesn't have Item/Read permission for
- Implement alerting on patterns of failed or anomalous build parameter submissions
- Review access logs for users systematically probing job paths through parameter values
Monitoring Recommendations
- Enable and centralize Jenkins security audit logging
- Configure alerts for unusual Run Parameter submission patterns
- Regularly review user permissions and access patterns in Jenkins
- Implement rate limiting on build submissions where feasible
How to Mitigate CVE-2026-27100
Immediate Actions Required
- Upgrade Jenkins to a patched version beyond 2.550 (weekly) or 2.541.1 (LTS)
- Review and restrict Item/Build and Item/Configure permissions to only trusted users
- Audit existing jobs for Run Parameter configurations that may have been exploited
- Enable enhanced audit logging to detect any exploitation attempts
Patch Information
Jenkins has addressed this vulnerability in versions after 2.550 (weekly) and 2.541.1 (LTS). Organizations should update to the latest available version. For detailed patch information, refer to the Jenkins Security Advisory 2026-02-18.
Workarounds
- Restrict Item/Build and Item/Configure permissions using Jenkins Role-Based Access Control
- Implement strict job isolation using folder-based permissions
- Consider using Project-based Matrix Authorization Strategy to limit cross-project parameter references
- Remove Run Parameters from jobs where they are not strictly necessary
# Review users with Item/Build and Item/Configure permissions
# In Jenkins Script Console, run:
# Jenkins.instance.getAllItems(Job.class).each { job ->
# def acl = job.getACL()
# println "Job: ${job.fullName}"
# // Review permissions for this job
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
