Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53440

CVE-2026-53440: Jenkins Auth Bypass Vulnerability

CVE-2026-53440 is an authentication bypass flaw in Jenkins that enables phishing attacks by redirecting users to malicious domains. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-53440 Overview

CVE-2026-53440 is an open redirect vulnerability ([CWE-601]) in Jenkins, the open-source automation server. Jenkins 2.567 and earlier, along with LTS 2.555.2 and earlier, fail to validate the from parameter in the "Delegate to servlet container" security realm. Attackers can craft login URLs that redirect authenticated users to attacker-controlled domains after successful authentication. This enables phishing campaigns that abuse the trust of the legitimate Jenkins login flow.

Critical Impact

Attackers can leverage the trusted Jenkins login endpoint to redirect authenticated users to malicious sites for credential harvesting and phishing.

Affected Products

  • Jenkins weekly releases 2.567 and earlier
  • Jenkins LTS 2.555.2 and earlier
  • Installations using the "Delegate to servlet container" security realm

Discovery Timeline

  • 2026-06-10 - Jenkins publishes security advisory SECURITY-3721
  • 2026-06-10 - CVE-2026-53440 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-53440

Vulnerability Analysis

The vulnerability resides in the login workflow used by the "Delegate to servlet container" security realm. Jenkins accepts a from query parameter that determines where users land after successful authentication. The realm does not validate whether this destination is an internal Jenkins URL. An attacker can supply an arbitrary external URL, and Jenkins issues an HTTP redirect to it once the user authenticates.

Exploitation requires user interaction. The attacker must convince a victim to click a crafted Jenkins login link. Because the initial URL points to a legitimate Jenkins instance, conventional URL inspection by users will not reveal the malicious redirection target.

Root Cause

The root cause is missing destination validation in the login redirect handler. The from parameter is treated as a trusted value and passed directly to the redirect response without checking whether it resolves to an absolute external host or a relative internal path. This pattern is the canonical signature of a [CWE-601] Open Redirect.

Attack Vector

The attacker constructs a URL such as https://jenkins.example.com/login?from=https://attacker.example/phish. The link is delivered through email, chat, or other social channels. The victim authenticates as usual on the genuine Jenkins instance. Jenkins then issues a redirect to the attacker-controlled domain, which can mimic Jenkins or a related service to harvest credentials, tokens, or session material.

No authentication or special privileges are required for the attacker. The vulnerability impacts integrity by enabling phishing, but does not directly compromise data confidentiality or availability on the Jenkins server itself.

Detection Methods for CVE-2026-53440

Indicators of Compromise

  • HTTP requests to /login or /j_acegi_security_check containing a from parameter with an absolute URL or scheme prefix such as http://, https://, or //
  • Referrer logs showing Jenkins users arriving at unfamiliar external domains immediately after authentication
  • User reports of unexpected redirects or duplicate login prompts on non-Jenkins domains

Detection Strategies

  • Inspect web server and reverse proxy access logs for login requests whose from parameter does not begin with / or the configured Jenkins base URL
  • Alert on URL-decoded from values containing external hostnames, IP literals, or protocol-relative prefixes (//)
  • Correlate phishing email reports with Jenkins login URL patterns observed in mail gateway telemetry

Monitoring Recommendations

  • Forward Jenkins access logs and reverse proxy logs to a centralized SIEM for query and retention
  • Build a detection rule that flags from parameters failing strict allow-list validation against internal paths
  • Monitor outbound DNS and proxy traffic for spikes to newly registered domains referenced in suspicious Jenkins URLs

How to Mitigate CVE-2026-53440

Immediate Actions Required

  • Upgrade Jenkins to a release that addresses SECURITY-3721, beyond version 2.567 (weekly) or 2.555.2 (LTS)
  • Audit which security realm each Jenkins instance uses and prioritize patching deployments configured with "Delegate to servlet container"
  • Educate users to inspect the destination URL after Jenkins login and report unexpected redirects

Patch Information

Jenkins addressed this issue in versions released alongside the Jenkins Security Advisory 2026-06-10. Administrators should consult the advisory for the exact fixed versions and apply the upgrade across all controllers using the affected security realm.

Workarounds

  • Switch to an alternative security realm that is not affected, such as the Jenkins built-in user database or an SSO provider
  • Place Jenkins behind a reverse proxy configured to strip or validate the from query parameter before forwarding
  • Restrict outbound redirects at the network layer using egress filtering on user browsers where feasible
bash
# Example reverse proxy rule (nginx) to drop absolute URLs in the 'from' parameter
if ($arg_from ~* "^(https?:)?//") {
    return 400;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne