CVE-2026-57287 Overview
CVE-2026-57287 affects the Jenkins Job Configuration History Plugin version 1356.ve360da_6c523a_ and earlier. The plugin fails to redact encrypted secret values when rendering historical job and agent configurations. Attackers holding the Extended Read permission can view encrypted secrets that the plugin would normally redact in current configuration views. The flaw is categorized under [CWE-312] (cleartext storage of sensitive information) because encrypted secrets exposed through the UI can be extracted and decrypted by authenticated low-privilege users. Jenkins published the issue in Security Advisory SECURITY-3742 on June 24, 2026.
Critical Impact
Authenticated users with Extended Read permission can recover encrypted secret values from historical Jenkins job and agent configurations, bypassing the plugin's redaction controls.
Affected Products
- Jenkins Job Configuration History Plugin 1356.ve360da_6c523a_
- All prior versions of the Jenkins Job Configuration History Plugin
- Jenkins controllers using the plugin with Extended Read permission granted to non-admin users
Discovery Timeline
- 2026-06-24 - Jenkins publishes Security Advisory SECURITY-3742
- 2026-06-24 - CVE-2026-57287 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-57287
Vulnerability Analysis
The Job Configuration History Plugin stores prior versions of job and agent config.xml files so administrators can audit configuration changes. When Jenkins renders a current configuration, the platform redacts encrypted secret fields before display. The history plugin does not apply equivalent redaction when rendering archived configurations. The exposed values are encrypted, but their disclosure to lower-privileged users undermines the secret-handling model that Jenkins enforces elsewhere. An attacker holding only Extended Read permission can request historical configuration views and harvest these encrypted secrets.
Root Cause
The plugin renders historical config.xml content without invoking the same redaction logic that Jenkins core applies to live configuration pages. The encrypted secret fields, which Jenkins normally replaces with a redacted placeholder for users lacking Job/Configure, are passed through unchanged. This is a missing access-control check on data that is sensitive even in encrypted form, mapped to [CWE-312].
Attack Vector
Exploitation requires network access to the Jenkins web UI and an authenticated account with Extended Read permission on the target job or agent. The attacker navigates to the configuration history view exposed by the plugin and inspects archived XML revisions. Encrypted secret strings appear in the response body and can be saved for offline analysis. If the attacker later gains access to the Jenkins master key, or recovers it through another flaw, the harvested ciphertext can be decrypted into plaintext credentials.
No verified proof-of-concept code is publicly available. See the Jenkins Security Advisory SECURITY-3742 for technical details.
Detection Methods for CVE-2026-57287
Indicators of Compromise
- HTTP GET requests to /jobConfigHistory/ or /job/<name>/jobConfigHistory/ endpoints by accounts that lack Job/Configure permission
- Repeated access to showDiffFiles, showFileVersion, or configOutput actions exported by the plugin
- Response bodies containing the {AQAAABAAAAAQ...} Jenkins-encrypted secret prefix delivered to non-admin sessions
Detection Strategies
- Review Jenkins access logs for users with Extended Read permission accessing job configuration history URLs
- Correlate authentication events with plugin endpoint access to identify unusual reconnaissance patterns
- Audit role-based access control (RBAC) assignments to identify accounts granted Extended Read without operational justification
Monitoring Recommendations
- Forward Jenkins controller access.log and audit.log to a centralized logging platform for retention and search
- Alert on bulk retrieval of historical configuration revisions by a single principal within a short window
- Track changes to the Job Configuration History Plugin version across all Jenkins controllers in the environment
How to Mitigate CVE-2026-57287
Immediate Actions Required
- Upgrade the Job Configuration History Plugin to a release that postdates 1356.ve360da_6c523a_ and remediates SECURITY-3742
- Inventory all Jenkins controllers and identify instances with the plugin installed
- Revoke Extended Read permission from users who do not require historical configuration visibility
- Rotate any secrets that may have been exposed to users with Extended Read permission since the plugin was installed
Patch Information
Apply the fixed plugin version referenced in Jenkins Security Advisory SECURITY-3742. Updates can be installed through the Jenkins Plugin Manager or by replacing the plugin .hpi file on the controller and restarting Jenkins.
Workarounds
- Disable the Job Configuration History Plugin until a fixed version is deployed
- Restrict the Extended Read permission to administrators using the Role-Based Authorization Strategy or Matrix Authorization plugins
- Place the Jenkins controller behind a reverse proxy that enforces additional authentication on configuration history endpoints
# Verify installed plugin version on the Jenkins controller
curl -s -u "$JENKINS_USER:$JENKINS_TOKEN" \
"$JENKINS_URL/pluginManager/api/json?depth=1" \
| jq '.plugins[] | select(.shortName=="jobConfigHistory") | {shortName, version, enabled}'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

