CVE-2026-57285 Overview
CVE-2026-57285 is a missing authorization vulnerability in the Jenkins GitHub Branch Source Plugin. Versions 1967.1969.v205fd594c821 and earlier fail to enforce permission checks on an endpoint that returns GitHub Enterprise server URLs configured in the global plugin configuration. Authenticated users holding only Overall/Read permission can retrieve these URLs without additional privileges. The flaw is tracked under CWE-862: Missing Authorization and is documented in Jenkins Security Advisory #SECURITY-3808.
Critical Impact
Low-privileged Jenkins users can enumerate internal GitHub Enterprise server URLs, exposing infrastructure details useful for reconnaissance against internal source code management systems.
Affected Products
- Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier
- Jenkins controllers with the GitHub Branch Source Plugin enabled
- Environments integrating Jenkins with GitHub Enterprise via the affected plugin
Discovery Timeline
- 2026-06-24 - Jenkins publishes Security Advisory #SECURITY-3808
- 2026-06-24 - CVE-2026-57285 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-57285
Vulnerability Analysis
The Jenkins GitHub Branch Source Plugin exposes an HTTP endpoint that returns GitHub Enterprise server URLs configured in the global plugin configuration. The endpoint does not validate whether the calling user holds administrative permissions before returning the data. Any authenticated user with the baseline Overall/Read permission can invoke the endpoint and receive the configured URLs.
The vulnerability is classified under CWE-862: Missing Authorization. The EPSS score is 0.207%, reflecting low predicted exploitation activity. The disclosed URLs may reference internal hostnames, non-public GitHub Enterprise instances, or staging infrastructure that organizations consider sensitive.
Root Cause
The root cause is the absence of a permission check on the descriptor method that returns configured GitHub Enterprise server URLs. Jenkins plugins are expected to gate configuration-disclosing endpoints behind Jenkins.ADMINISTER or equivalent. The affected plugin code path skipped this verification, defaulting to authenticated access only.
Attack Vector
An attacker requires network access to the Jenkins controller and a valid account with Overall/Read permission. This permission level is commonly granted to developers, build operators, and read-only auditors. The attacker issues an authenticated HTTP request to the plugin endpoint and receives the GitHub Enterprise URLs in the response. The vulnerability does not allow modification of configuration or access to credentials, but the disclosed URLs can support follow-on reconnaissance or phishing campaigns targeting internal source code management.
No exploitation code is publicly available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Jenkins Security Advisory #SECURITY-3808 for endpoint specifics.
Detection Methods for CVE-2026-57285
Indicators of Compromise
- Authenticated HTTP requests from non-administrator accounts to GitHub Branch Source Plugin descriptor endpoints under /descriptorByName/
- Unusual access patterns to plugin configuration endpoints by users holding only Overall/Read
- Outbound reconnaissance traffic to internal GitHub Enterprise hostnames following Jenkins access events
Detection Strategies
- Review Jenkins access logs for HTTP GET requests to GitHub Branch Source Plugin descriptor endpoints initiated by non-admin users
- Correlate Jenkins authentication events with subsequent calls to plugin configuration endpoints
- Audit the Jenkins user permission matrix to identify accounts holding only Overall/Read that have queried plugin endpoints
Monitoring Recommendations
- Enable verbose Jenkins access logging and forward logs to a centralized SIEM for retention and analysis
- Alert on first-time access by a user account to any /descriptorByName/ endpoint
- Track changes to the installed version of the GitHub Branch Source Plugin to confirm patch deployment
How to Mitigate CVE-2026-57285
Immediate Actions Required
- Upgrade the Jenkins GitHub Branch Source Plugin to a version later than 1967.1969.v205fd594c821 as published in the Jenkins security advisory
- Audit Jenkins user accounts and remove Overall/Read from users who do not require Jenkins UI access
- Review GitHub Enterprise server URLs configured in Jenkins and assess whether their disclosure introduces additional exposure
Patch Information
Jenkins released a fixed version of the GitHub Branch Source Plugin as part of the Jenkins Security Advisory #SECURITY-3808 on 2026-06-24. Apply the update through the Jenkins Plugin Manager. Restart the Jenkins controller if required and verify the installed version after upgrade.
Workarounds
- Restrict network access to the Jenkins controller using firewall rules or reverse proxy authentication
- Implement role-based access control with the Jenkins Role-Based Authorization Strategy plugin to minimize Overall/Read assignments
- Segment GitHub Enterprise infrastructure on networks not directly inferable from disclosed URLs where feasible
# Verify installed plugin version via Jenkins CLI
java -jar jenkins-cli.jar -s https://jenkins.example.com/ \
list-plugins | grep github-branch-source
# Upgrade the plugin to the fixed release
java -jar jenkins-cli.jar -s https://jenkins.example.com/ \
install-plugin github-branch-source -restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

