Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-57287

CVE-2026-57287: Jenkins Job Configuration History Plugin Flaw

CVE-2026-57287 is an information disclosure vulnerability in Jenkins Job Configuration History Plugin that exposes encrypted secrets to users with Extended Read permission. This article covers technical details, affected versions, and steps.

Published:

CVE-2026-57287 Overview

CVE-2026-57287 affects the Jenkins Job Configuration History Plugin version 1356.ve360da_6c523a_ and earlier. The plugin fails to redact encrypted secret values when rendering historical job and agent configurations. Attackers holding the Extended Read permission can view encrypted secrets that the plugin would normally redact in current configuration views. The flaw is categorized under [CWE-312] (cleartext storage of sensitive information) because encrypted secrets exposed through the UI can be extracted and decrypted by authenticated low-privilege users. Jenkins published the issue in Security Advisory SECURITY-3742 on June 24, 2026.

Critical Impact

Authenticated users with Extended Read permission can recover encrypted secret values from historical Jenkins job and agent configurations, bypassing the plugin's redaction controls.

Affected Products

  • Jenkins Job Configuration History Plugin 1356.ve360da_6c523a_
  • All prior versions of the Jenkins Job Configuration History Plugin
  • Jenkins controllers using the plugin with Extended Read permission granted to non-admin users

Discovery Timeline

  • 2026-06-24 - Jenkins publishes Security Advisory SECURITY-3742
  • 2026-06-24 - CVE-2026-57287 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-57287

Vulnerability Analysis

The Job Configuration History Plugin stores prior versions of job and agent config.xml files so administrators can audit configuration changes. When Jenkins renders a current configuration, the platform redacts encrypted secret fields before display. The history plugin does not apply equivalent redaction when rendering archived configurations. The exposed values are encrypted, but their disclosure to lower-privileged users undermines the secret-handling model that Jenkins enforces elsewhere. An attacker holding only Extended Read permission can request historical configuration views and harvest these encrypted secrets.

Root Cause

The plugin renders historical config.xml content without invoking the same redaction logic that Jenkins core applies to live configuration pages. The encrypted secret fields, which Jenkins normally replaces with a redacted placeholder for users lacking Job/Configure, are passed through unchanged. This is a missing access-control check on data that is sensitive even in encrypted form, mapped to [CWE-312].

Attack Vector

Exploitation requires network access to the Jenkins web UI and an authenticated account with Extended Read permission on the target job or agent. The attacker navigates to the configuration history view exposed by the plugin and inspects archived XML revisions. Encrypted secret strings appear in the response body and can be saved for offline analysis. If the attacker later gains access to the Jenkins master key, or recovers it through another flaw, the harvested ciphertext can be decrypted into plaintext credentials.

No verified proof-of-concept code is publicly available. See the Jenkins Security Advisory SECURITY-3742 for technical details.

Detection Methods for CVE-2026-57287

Indicators of Compromise

  • HTTP GET requests to /jobConfigHistory/ or /job/<name>/jobConfigHistory/ endpoints by accounts that lack Job/Configure permission
  • Repeated access to showDiffFiles, showFileVersion, or configOutput actions exported by the plugin
  • Response bodies containing the {AQAAABAAAAAQ...} Jenkins-encrypted secret prefix delivered to non-admin sessions

Detection Strategies

  • Review Jenkins access logs for users with Extended Read permission accessing job configuration history URLs
  • Correlate authentication events with plugin endpoint access to identify unusual reconnaissance patterns
  • Audit role-based access control (RBAC) assignments to identify accounts granted Extended Read without operational justification

Monitoring Recommendations

  • Forward Jenkins controller access.log and audit.log to a centralized logging platform for retention and search
  • Alert on bulk retrieval of historical configuration revisions by a single principal within a short window
  • Track changes to the Job Configuration History Plugin version across all Jenkins controllers in the environment

How to Mitigate CVE-2026-57287

Immediate Actions Required

  • Upgrade the Job Configuration History Plugin to a release that postdates 1356.ve360da_6c523a_ and remediates SECURITY-3742
  • Inventory all Jenkins controllers and identify instances with the plugin installed
  • Revoke Extended Read permission from users who do not require historical configuration visibility
  • Rotate any secrets that may have been exposed to users with Extended Read permission since the plugin was installed

Patch Information

Apply the fixed plugin version referenced in Jenkins Security Advisory SECURITY-3742. Updates can be installed through the Jenkins Plugin Manager or by replacing the plugin .hpi file on the controller and restarting Jenkins.

Workarounds

  • Disable the Job Configuration History Plugin until a fixed version is deployed
  • Restrict the Extended Read permission to administrators using the Role-Based Authorization Strategy or Matrix Authorization plugins
  • Place the Jenkins controller behind a reverse proxy that enforces additional authentication on configuration history endpoints
bash
# Verify installed plugin version on the Jenkins controller
curl -s -u "$JENKINS_USER:$JENKINS_TOKEN" \
  "$JENKINS_URL/pluginManager/api/json?depth=1" \
  | jq '.plugins[] | select(.shortName=="jobConfigHistory") | {shortName, version, enabled}'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.