CVE-2026-57288 Overview
CVE-2026-57288 affects Jenkins Active Directory Plugin version 2.41.1 and earlier. The plugin fails to escape user names before building the Lightweight Directory Access Protocol (LDAP) search filter in the Windows native Active Directory Service Interfaces (ADSI) authentication path. Unauthenticated attackers can inject LDAP wildcard characters to enumerate directory entries. Attackers can also authenticate as a matching user whose password they know without knowing the exact user name. The flaw is classified under [CWE-90] LDAP Injection.
Critical Impact
Unauthenticated attackers can enumerate Active Directory entries and authenticate as users by abusing LDAP wildcard injection in the Jenkins authentication filter.
Affected Products
- Jenkins Active Directory Plugin 2.41.1 and earlier
- Jenkins instances using the Windows native (ADSI) authentication path
- Deployments relying on Active Directory for Jenkins user authentication
Discovery Timeline
- 2026-06-24 - CVE-2026-57288 published to NVD alongside Jenkins Security Advisory SECURITY-3651
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-57288
Vulnerability Analysis
The Jenkins Active Directory Plugin constructs an LDAP search filter using the user-supplied user name during authentication. In the Windows native ADSI authentication path, the plugin does not escape special LDAP filter metacharacters before concatenating the user name into the filter string. An attacker can supply input containing the * wildcard or other LDAP filter operators to alter the search semantics. The injected filter then matches multiple directory entries rather than a single account.
This behavior produces two consequences. First, attackers can enumerate directory entries by observing which crafted patterns return matches. Second, when the attacker knows a valid password for any user in the directory, the broadened filter can match that user even when the attacker does not know the exact sAMAccountName. Authentication succeeds against any account returned by the manipulated filter whose password matches the supplied credential.
Root Cause
The root cause is missing sanitization of user-controlled input prior to LDAP filter construction, mapped to [CWE-90] Improper Neutralization of Special Elements used in an LDAP Query. The ADSI authentication path concatenates the raw user name into the search filter without applying RFC 4515 escaping rules.
Attack Vector
The attack vector is network-based and requires no prior authentication or user interaction. An attacker submits a crafted user name containing LDAP wildcard characters such as * to the Jenkins login endpoint. The plugin embeds the input directly into the LDAP search filter, broadening the result set. Successful authentication then proceeds against any matching account whose password the attacker controls.
No verified exploitation code is publicly documented. See the Jenkins Security Advisory SECURITY-3651 for vendor technical details.
Detection Methods for CVE-2026-57288
Indicators of Compromise
- Authentication attempts to Jenkins where the submitted user name contains *, (, ), \, or NUL bytes
- Repeated failed logins followed by a successful login under an unusual or partial user name string
- Jenkins audit log entries showing successful authentication for an account that does not match a discrete directory sAMAccountName
- Active Directory domain controller logs showing LDAP search filters containing unexpected wildcards originating from the Jenkins controller
Detection Strategies
- Inspect Jenkins access logs for login form submissions containing LDAP metacharacters in the user name field
- Correlate Jenkins authentication events with domain controller event ID 1644 (expensive LDAP search) entries from the Jenkins service account
- Alert on authentication success events where the supplied user name does not exactly match a resolved account distinguished name
Monitoring Recommendations
- Forward Jenkins authentication logs and Active Directory security events to a centralized log analytics platform for correlation
- Baseline normal LDAP search filter patterns generated by Jenkins and alert on deviations containing wildcard characters
- Monitor for spikes in failed authentication attempts followed by successful logins from the same source IP
How to Mitigate CVE-2026-57288
Immediate Actions Required
- Upgrade the Jenkins Active Directory Plugin to a version later than 2.41.1 that includes the fix referenced in SECURITY-3651
- Audit Jenkins authentication logs for prior LDAP wildcard injection attempts
- Rotate credentials for any user accounts suspected of having been accessed via wildcard matching
- Restrict network access to the Jenkins login endpoint to trusted networks until patching is complete
Patch Information
Apply the fixed version of the Jenkins Active Directory Plugin as documented in the Jenkins Security Advisory SECURITY-3651. The patch escapes user-supplied input before constructing the LDAP search filter in the ADSI authentication path.
Workarounds
- Switch from the Windows native (ADSI) authentication path to the platform-independent LDAP authentication mode where applicable
- Place Jenkins behind a reverse proxy or web application firewall that rejects login submissions containing LDAP metacharacters
- Enforce strong, unique passwords across all Active Directory accounts to limit the value of a successful wildcard-matched authentication
# Verify the installed Jenkins Active Directory Plugin version
jenkins-plugin-cli --list | grep active-directory
# Upgrade the plugin via the Jenkins CLI
jenkins-plugin-cli --plugins active-directory:latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

