Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-57283

CVE-2026-57283: Jenkins Pipeline Groovy Plugin CSRF Flaw

CVE-2026-57283 is a cross-site request forgery vulnerability in Jenkins Pipeline: Groovy Plugin that lets attackers exploit the Pipeline Snippet Generator. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-57283 Overview

CVE-2026-57283 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Pipeline: Groovy Plugin, versions 4331.v9d06ed4658ff and earlier. The flaw resides in the Pipeline Snippet Generator, which fails to enforce proper request validation. Attackers can abuse this weakness to instantiate types related to job or system configuration that fall outside the intended scope of Pipeline steps. Successful exploitation requires that a victim with valid Jenkins credentials interact with attacker-controlled content. The vulnerability is tracked under CWE-352: Cross-Site Request Forgery.

Critical Impact

Authenticated Jenkins users can be coerced into triggering unintended type instantiation through CSRF, enabling limited integrity impact on job or system configuration via the Pipeline Snippet Generator.

Affected Products

  • Jenkins Pipeline: Groovy Plugin version 4331.v9d06ed4658ff
  • Jenkins Pipeline: Groovy Plugin versions earlier than 4331.v9d06ed4658ff
  • Jenkins controllers running the affected plugin with the Snippet Generator exposed

Discovery Timeline

Technical Details for CVE-2026-57283

Vulnerability Analysis

The Pipeline: Groovy Plugin provides a Snippet Generator that helps users build Pipeline step syntax through a web interface. The Snippet Generator endpoint does not perform adequate CSRF protection on requests that drive type instantiation. As a result, the generator accepts crafted requests that instantiate types beyond the intended Pipeline step set, including types tied to job or system configuration.

An attacker who lures an authenticated Jenkins user to a malicious page can issue cross-origin requests in the victim's session. These requests reach the Snippet Generator and force instantiation of unintended objects. The impact is constrained to limited integrity effects rather than full code execution or data disclosure, consistent with the scoring profile of this issue.

Root Cause

The root cause is missing or insufficient enforcement of CSRF protection on the Snippet Generator request handler within the Pipeline: Groovy Plugin. The handler also lacks proper restriction on which types may be instantiated, allowing requests to target job and system configuration types instead of Pipeline steps alone.

Attack Vector

Exploitation is network-based and requires user interaction. An attacker hosts a malicious page or sends a crafted link to a Jenkins user with low privileges. When the victim visits the page while authenticated to Jenkins, the browser submits the forged request to the Snippet Generator. No attacker authentication to Jenkins is required, but the victim must hold a valid session.

No verified public proof-of-concept code is available. See the Jenkins Security Advisory SECURITY-3677 for vendor technical details.

Detection Methods for CVE-2026-57283

Indicators of Compromise

  • Unexpected POST requests to Pipeline Snippet Generator endpoints originating from external Referer or Origin headers
  • Jenkins audit log entries showing Snippet Generator invocations that instantiate non-Pipeline-step types
  • Configuration changes to jobs or system settings correlated with user web sessions rather than direct administrative actions

Detection Strategies

  • Inspect Jenkins access logs for requests to Snippet Generator URLs with unusual referers or missing CSRF crumb headers
  • Correlate browser session activity with job and system configuration changes to identify CSRF-driven modifications
  • Alert on Pipeline: Groovy Plugin requests that reference class names outside the documented Pipeline step set

Monitoring Recommendations

  • Forward Jenkins controller HTTP access logs and audit logs to a centralized log platform for retention and analytics
  • Track plugin version inventory across Jenkins controllers to identify instances still running 4331.v9d06ed4658ff or earlier
  • Monitor outbound user navigation patterns from privileged Jenkins operators to detect potential CSRF lure interactions

How to Mitigate CVE-2026-57283

Immediate Actions Required

  • Upgrade the Jenkins Pipeline: Groovy Plugin to a version later than 4331.v9d06ed4658ff as soon as it is published by the vendor
  • Restrict access to the Jenkins web interface to trusted networks and authenticated users only
  • Review recent job and system configuration changes for unauthorized modifications attributable to CSRF activity

Patch Information

Refer to the Jenkins Security Advisory SECURITY-3677 for the fixed plugin version and upgrade guidance. Apply the vendor-supplied update through the Jenkins Plugin Manager and restart the controller to load the patched plugin.

Workarounds

  • Limit the Overall/Read and Pipeline-related permissions to a minimal set of trusted users until the patch is applied
  • Ensure Jenkins CSRF protection is enabled globally and that the crumb issuer is active for all authenticated sessions
  • Educate Jenkins users to avoid clicking untrusted links while logged into the controller
bash
# Verify installed Pipeline: Groovy Plugin version via Jenkins CLI
java -jar jenkins-cli.jar -s https://jenkins.example.com/ \
  list-plugins | grep workflow-cps

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.