Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53436

CVE-2026-53436: Jenkins Auth Bypass Vulnerability

CVE-2026-53436 is an authentication bypass flaw in Jenkins that allows attackers to perform phishing attacks via malicious redirect URLs. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-53436 Overview

Jenkins contains an open redirect vulnerability that allows attackers to craft malicious login URLs redirecting authenticated users to attacker-controlled destinations. The flaw affects Jenkins 2.567 and earlier, and Jenkins LTS 2.555.2 and earlier. The application improperly validates redirect URLs after login when those URLs contain relative path segments such as ./ or ../. Attackers can leverage this weakness to conduct phishing campaigns that appear to originate from a trusted Jenkins instance. The vulnerability is categorized under [CWE-601] (URL Redirection to Untrusted Site).

Critical Impact

Authenticated users can be silently redirected from a legitimate Jenkins login flow to attacker-controlled phishing pages, enabling credential theft and social engineering attacks.

Affected Products

  • Jenkins 2.567 and earlier
  • Jenkins LTS 2.555.2 and earlier
  • Jenkins instances exposing the login redirect parameter to untrusted networks

Discovery Timeline

  • 2026-06-10 - Jenkins Security Advisory published as SECURITY-3711 and SECURITY-3755
  • 2026-06-10 - CVE-2026-53436 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-53436

Vulnerability Analysis

The vulnerability resides in the Jenkins login flow, which accepts a from parameter indicating where the user should be redirected after successful authentication. Jenkins validates that this redirect target points back to itself rather than to an external host. The validation logic, however, does not correctly normalize relative path segments such as ./ and ../ before performing the origin check. Attackers can craft a redirect URL containing these segments that passes the legitimacy check but resolves to an external host once the browser processes it. The result is an open redirect that an attacker can chain into phishing workflows targeting Jenkins users.

Root Cause

The root cause is improper input validation in the redirect URL parser. Jenkins treats URLs containing ./ or ../ segments as relative to its own origin without resolving the segments first. Browsers, in contrast, resolve these segments during navigation, which can produce a final URL pointing to an attacker-controlled domain. This mismatch between server-side validation and client-side URL resolution creates the open redirect condition described in [CWE-601].

Attack Vector

Exploitation requires user interaction. An attacker sends a victim a crafted Jenkins login link that embeds a manipulated from parameter. After the victim authenticates, Jenkins issues a redirect that the browser resolves to an attacker-controlled URL. The destination page can mimic Jenkins branding to harvest credentials, deliver malware, or solicit sensitive information. The attack requires no privileges on the Jenkins server and operates entirely over the network.

No public proof-of-concept exploit code is currently available. Refer to the Jenkins Security Advisory 2026-06-10 for vendor technical detail.

Detection Methods for CVE-2026-53436

Indicators of Compromise

  • Inbound HTTP requests to Jenkins /login or /securityRealm/commenceLogin endpoints containing from parameters with ./ or ../ sequences
  • HTTP 302 responses from Jenkins where the Location header resolves to an external domain
  • User reports of unexpected redirects to unfamiliar domains following Jenkins authentication

Detection Strategies

  • Inspect Jenkins access logs for login requests carrying suspicious from query parameter values
  • Correlate authentication events with outbound redirect responses that leave the Jenkins domain
  • Deploy web application firewall rules that flag relative-path segments inside redirect parameters

Monitoring Recommendations

  • Enable verbose request logging on the Jenkins reverse proxy or load balancer to capture full query strings
  • Forward Jenkins logs to a centralized SIEM and alert on anomalous redirect destinations
  • Monitor email gateways and proxy logs for URLs targeting Jenkins login pages with encoded relative path segments

How to Mitigate CVE-2026-53436

Immediate Actions Required

  • Upgrade Jenkins to a version later than 2.567, or Jenkins LTS to a version later than 2.555.2
  • Restrict Jenkins login endpoints to trusted networks where feasible
  • Educate Jenkins users to verify the destination URL after logging in and to report unexpected redirects

Patch Information

Jenkins addressed this issue in the security advisory released on 2026-06-10 under identifiers SECURITY-3711 and SECURITY-3755. Apply the fixed Jenkins releases referenced in the Jenkins Security Advisory 2026-06-10. Administrators running long-term support deployments should move to the patched LTS release at the earliest maintenance window.

Workarounds

  • Place Jenkins behind a reverse proxy that strips or rejects from parameters containing ./ or ../
  • Configure web application firewall rules to block login requests with relative path segments in redirect parameters
  • Disable or restrict anonymous access to login endpoints if business requirements allow
bash
# Example NGINX rule to block redirect parameters containing relative path segments
if ($arg_from ~* "(\.\./|\./)") {
    return 400;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne