CVE-2026-48918 Overview
CVE-2026-48918 affects the Jenkins Active Directory Plugin version 2.41 and earlier. The plugin follows Lightweight Directory Access Protocol (LDAP) referrals by default during authentication and directory queries. An attacker who controls a domain controller or an LDAP server reachable from Jenkins can redirect referrals to an attacker-controlled endpoint. This behavior maps to Server-Side Request Forgery [CWE-918], where the Jenkins controller initiates outbound connections to attacker-specified destinations. The flaw was disclosed in the Jenkins Security Advisory on 2026-05-27 under SECURITY-3659.
Critical Impact
A high-privileged attacker positioned in the LDAP path can force the Jenkins controller to issue authenticated requests to attacker-chosen servers, enabling credential capture and lateral access to internal services.
Affected Products
- Jenkins Active Directory Plugin 2.41
- Jenkins Active Directory Plugin versions prior to 2.41
- Jenkins controllers configured to authenticate against Active Directory using this plugin
Discovery Timeline
- 2026-05-27 - Jenkins publishes Security Advisory SECURITY-3659
- 2026-05-27 - CVE-2026-48918 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-48918
Vulnerability Analysis
The Jenkins Active Directory Plugin uses Java Naming and Directory Interface (JNDI) to query Active Directory. By default, the plugin enables referral chasing on LDAP responses. When a queried directory server returns a referral, the JNDI client automatically connects to the referred host and continues the operation. An attacker who can influence directory replies can redirect the Jenkins controller to a server they control.
Once connected, the attacker-controlled LDAP server can capture authentication material exchanged during the bind operation. It can also return crafted directory entries that alter authorization decisions inside Jenkins, including group memberships used for role mapping. The result is unauthorized access to internal endpoints reachable from the Jenkins controller and potential exposure of Active Directory credentials.
Root Cause
The root cause is an insecure default configuration. The plugin sets the JNDI java.naming.referral property to follow without restricting the destination of referral hosts. No allowlist constrains where referral chases can terminate. This matches the Server-Side Request Forgery weakness pattern in [CWE-918], where a server-side component performs outbound requests to locations chosen by an attacker.
Attack Vector
Exploitation requires network access to the Jenkins controller and a position that influences LDAP responses. A malicious or compromised domain controller, a man-in-the-middle on an unencrypted LDAP path, or an attacker with sufficient directory privileges to inject referral records can trigger the behavior. The Jenkins controller then opens a connection to the attacker-specified host and proceeds with bind and search operations against it.
No verified public proof-of-concept code is associated with this CVE. Refer to the Jenkins Security Advisory #2026-05-27 for vendor technical details.
Detection Methods for CVE-2026-48918
Indicators of Compromise
- Outbound LDAP or LDAPS connections from the Jenkins controller to hosts outside the expected Active Directory domain controller set.
- Jenkins authentication logs showing bind operations against unexpected directory servers or unusual DNS resolutions preceding LDAP traffic.
- Sudden authorization changes for Jenkins users, such as new group memberships appearing without corresponding directory changes in trusted controllers.
Detection Strategies
- Inspect Jenkins controller process network telemetry for LDAP traffic on TCP 389 or 636 to destinations not on the approved domain controller list.
- Correlate Jenkins audit-trail plugin entries with network connections to identify referral-driven binds.
- Review JNDI debug logs when enabled, looking for referral events and host targets that do not match internal directory infrastructure.
Monitoring Recommendations
- Restrict and monitor egress from the Jenkins controller to only approved Active Directory endpoints using host or network firewalls.
- Forward Jenkins system logs and authentication events to a central log platform and alert on LDAP destinations outside an allowlist.
- Track installed plugin versions across Jenkins instances and alert when active-directory is below 2.42.
How to Mitigate CVE-2026-48918
Immediate Actions Required
- Upgrade the Jenkins Active Directory Plugin to a fixed version published in the Jenkins Security Advisory dated 2026-05-27.
- Inventory all Jenkins controllers using Active Directory authentication and prioritize internet-exposed or shared-tenant instances.
- Rotate any service account credentials used by Jenkins to bind to Active Directory if compromise is suspected.
Patch Information
Apply the plugin update referenced in the Jenkins Security Advisory #2026-05-27 for SECURITY-3659. The fix changes default behavior so the plugin no longer follows LDAP referrals automatically, eliminating the uncontrolled outbound request path.
Workarounds
- Where patching is delayed, restrict outbound LDAP and LDAPS traffic from the Jenkins controller to a strict allowlist of trusted domain controllers.
- Require LDAPS with certificate validation for Active Directory authentication to prevent referral redirection over cleartext channels.
- Limit administrative access to the Jenkins security realm configuration so only trusted operators can modify directory settings.
# Example egress restriction for the Jenkins controller (iptables)
# Allow LDAPS only to approved domain controllers
iptables -A OUTPUT -p tcp --dport 636 -d 10.0.10.11 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 636 -d 10.0.10.12 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 389 -j DROP
iptables -A OUTPUT -p tcp --dport 636 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

