CVE-2026-57286 Overview
CVE-2026-57286 is a missing authorization vulnerability in the Jenkins Git Parameter Plugin. Versions 462.vdcf3df2ed2ca_ and earlier fail to enforce proper permission checks on an endpoint that exposes Source Code Management (SCM) repository metadata. Authenticated attackers holding only Item/Read permission can query branch names, tag names, and revision metadata for repositories used by Jenkins jobs. The flaw is categorized under CWE-862: Missing Authorization and impacts the confidentiality of build pipeline configuration data. No code execution or data modification is possible through this issue.
Critical Impact
Authenticated users with minimal Item/Read access can enumerate SCM branch, tag, and revision data from Jenkins jobs configured with the Git Parameter Plugin.
Affected Products
- Jenkins Git Parameter Plugin version 462.vdcf3df2ed2ca_
- Jenkins Git Parameter Plugin versions earlier than 462.vdcf3df2ed2ca_
- Jenkins controllers with the affected plugin enabled
Discovery Timeline
- 2026-06-24 - Jenkins publishes security advisory SECURITY-3745
- 2026-06-24 - CVE-2026-57286 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-57286
Vulnerability Analysis
The Jenkins Git Parameter Plugin provides a build parameter type that lets users select Git branches, tags, or revisions at build time. To populate the selection list, the plugin exposes an HTTP endpoint that queries the configured SCM repository for branch and tag references. In affected versions, this endpoint does not validate that the requesting user holds sufficient permission on the target job before returning SCM metadata.
A user with Item/Read access, which is the baseline permission needed to view a job, can invoke the endpoint and retrieve repository details that would normally require higher privileges such as Item/Configure or direct SCM credentials. Returned data includes branch names, tag names, and associated revision identifiers tied to the job's configured repository.
Root Cause
The root cause is a missing permission check on the parameter value provider endpoint within the Git Parameter Plugin. The handler accepts requests from any authenticated user with read access and forwards them to the SCM layer without first verifying that the caller is entitled to view repository internals.
Attack Vector
Exploitation requires network access to the Jenkins controller and a valid account with Item/Read permission on the affected job. The attacker issues an HTTP request to the plugin endpoint associated with the Git parameter, parses the JSON response, and harvests branch, tag, and revision metadata. No user interaction is required, and the activity is indistinguishable from normal parameter rendering in standard Jenkins logs. Refer to the Jenkins Security Advisory 2026-06-24 for endpoint specifics.
Detection Methods for CVE-2026-57286
Indicators of Compromise
- Repeated HTTP requests from a single authenticated user to Git Parameter Plugin value endpoints across multiple jobs.
- Access patterns from accounts that hold only Item/Read and have no legitimate reason to enumerate SCM metadata.
- Bursts of parameter retrieval requests outside of build execution windows.
Detection Strategies
- Review Jenkins access logs for requests to plugin URLs containing gitParameter or related parameter value provider paths.
- Correlate authenticated user sessions against the jobs they are expected to interact with, flagging cross-job enumeration.
- Audit the user permission matrix to identify accounts with Item/Read that should not have visibility into SCM-backed jobs.
Monitoring Recommendations
- Forward Jenkins controller access and audit logs to a central SIEM for retention and query.
- Alert on a single principal accessing parameter endpoints across an unusual number of jobs within a short window.
- Track plugin version inventory across Jenkins controllers to confirm patch status over time.
How to Mitigate CVE-2026-57286
Immediate Actions Required
- Upgrade the Jenkins Git Parameter Plugin to a release later than 462.vdcf3df2ed2ca_ once available from the Jenkins update center.
- Review and tighten the Jenkins authorization matrix so that Item/Read is granted only to users with a business need.
- Audit jobs that rely on the Git Parameter Plugin to identify those exposing sensitive internal repositories.
Patch Information
Jenkins addresses the issue under advisory SECURITY-3745. Administrators should consult the Jenkins Security Advisory 2026-06-24 for the fixed plugin version and apply it through the Jenkins plugin manager. Restart the controller if required to load the patched plugin classes.
Workarounds
- Restrict Item/Read permission on jobs that use the Git Parameter Plugin until the plugin is updated.
- Remove or disable the Git Parameter Plugin on controllers where it is not actively required.
- Segment Jenkins controllers handling sensitive repositories from shared multi-tenant Jenkins environments.
# Verify installed Git Parameter Plugin version via Jenkins CLI
java -jar jenkins-cli.jar -s https://jenkins.example.com/ \
list-plugins git-parameter
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

