Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53438

CVE-2026-53438: Jenkins Auth Bypass Vulnerability

CVE-2026-53438 is an authentication bypass flaw in Jenkins 2.567 and earlier that allows attackers to cancel queue items without proper read permissions. This post covers the technical details, affected versions, and mitigations.

Published:

CVE-2026-53438 Overview

CVE-2026-53438 is a missing authorization vulnerability affecting Jenkins automation server. The flaw exists in Jenkins 2.567 and earlier, as well as LTS 2.555.2 and earlier. Attackers with Item/Cancel permission but lacking Item/Read permission can cancel queue items they are not authorized to view. The issue is tracked as CWE-862: Missing Authorization and was disclosed in the Jenkins Security Advisory #SECURITY-3712.

Critical Impact

Authenticated users with limited permissions can disrupt build pipelines by cancelling queued jobs they should not have visibility into, undermining isolation between projects.

Affected Products

  • Jenkins weekly releases 2.567 and earlier
  • Jenkins LTS 2.555.2 and earlier
  • Jenkins controllers with role-based access configurations granting Item/Cancel without Item/Read

Discovery Timeline

  • 2026-06-10 - CVE-2026-53438 published to NVD
  • 2026-06-10 - Jenkins Security Advisory SECURITY-3712 released
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-53438

Vulnerability Analysis

The vulnerability resides in the Jenkins queue management subsystem. Jenkins enforces a permission model where Item/Read controls visibility of a job and Item/Cancel allows cancellation of running or queued builds. The queue cancellation endpoint fails to verify that the caller holds Item/Read permission on the target item before processing the cancellation request. As a result, an authenticated user can act on queue items belonging to projects they cannot otherwise see or enumerate.

The impact is limited to integrity of build operations. Attackers cannot read job configuration, view build logs, or execute code. They can, however, repeatedly cancel queued builds for sensitive pipelines, causing denial of build availability and disrupting continuous integration workflows.

Root Cause

The root cause is a missing permission check [CWE-862] in the queue item cancellation handler. The handler validates only the Item/Cancel permission and omits the corresponding Item/Read check required for consistent authorization across the Jenkins permission model.

Attack Vector

An authenticated attacker submits a cancellation request referencing a known or guessable queue item identifier. Queue identifiers are sequential integers, making enumeration straightforward. The Jenkins controller processes the request without confirming the user has read access to the underlying job, executing the cancellation.

No verified exploit code is publicly available. Refer to the Jenkins Security Advisory #SECURITY-3712 for vendor technical details.

Detection Methods for CVE-2026-53438

Indicators of Compromise

  • Unexpected CANCELLED status on queue items in $JENKINS_HOME/logs/ or build history
  • Audit log entries showing queue cancellation actions by users without read access to the affected job
  • Repeated HTTP POST requests to /queue/cancelItem or /queue/item/<id>/cancelQueue from a single authenticated session

Detection Strategies

  • Enable the Jenkins Audit Trail plugin and correlate cancelItem events against the actor's effective permissions on the target job
  • Alert on cancellation events where the requesting user lacks Item/Read on the canceled item
  • Baseline normal cancellation rates per user and flag deviations

Monitoring Recommendations

  • Forward Jenkins access and audit logs to a centralized SIEM for cross-user correlation
  • Monitor for sequential queue identifier enumeration patterns in HTTP request logs
  • Track build interruption metrics per pipeline to identify abnormal cancellation activity

How to Mitigate CVE-2026-53438

Immediate Actions Required

  • Upgrade Jenkins weekly to version 2.568 or later
  • Upgrade Jenkins LTS to version 2.555.3 or later
  • Review role-based access control assignments and remove Item/Cancel grants from users who do not also hold Item/Read
  • Rotate API tokens for users whose permission scope changes

Patch Information

The Jenkins project addressed the missing permission check in releases published alongside the Jenkins Security Advisory #SECURITY-3712. Apply the fixed weekly or LTS release per the advisory guidance.

Workarounds

  • Restrict Item/Cancel permission to administrators and trusted pipeline owners until patching is complete
  • Use folder-based authorization strategies to ensure Item/Cancel is only granted in scopes where Item/Read is also granted
  • Place the Jenkins controller behind an authenticating reverse proxy that enforces additional access controls on /queue/ endpoints
bash
# Verify installed Jenkins version
java -jar jenkins.war --version

# Example: query effective permissions for a user via Jenkins CLI
java -jar jenkins-cli.jar -s https://jenkins.example.com/ \
  who-am-i --username auditor

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne