CVE-2026-57290 Overview
CVE-2026-57290 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Priority Sorter Plugin. The flaw affects version 936.v2c01c6b_84449 and earlier releases. Attackers can exploit this weakness to overwrite the global job priority configuration when an authenticated user visits a malicious page. The vulnerability is tracked under CWE-352 and originates from missing CSRF protection on a request handler. Jenkins published advisory SECURITY-3769 documenting the issue.
Critical Impact
An attacker who tricks an authenticated Jenkins user into visiting a crafted page can modify global job priority settings, disrupting build queue ordering across the Jenkins controller.
Affected Products
- Jenkins Priority Sorter Plugin version 936.v2c01c6b_84449
- Jenkins Priority Sorter Plugin versions prior to 936.v2c01c6b_84449
- Jenkins controllers running vulnerable plugin instances
Discovery Timeline
- 2026-06-24 - Jenkins publishes Security Advisory SECURITY-3769
- 2026-06-24 - CVE-2026-57290 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-57290
Vulnerability Analysis
The Priority Sorter Plugin extends Jenkins with the ability to assign priority values to jobs in the build queue. Administrators configure a global priority configuration that governs default behavior across all jobs. The vulnerability stems from the plugin exposing this configuration endpoint without enforcing a CSRF token check.
An attacker hosts a malicious web page containing a forged form or scripted request targeting the Jenkins controller. When an authenticated Jenkins user with sufficient privileges visits the page, the browser submits the request using existing session cookies. The Jenkins controller processes the request as legitimate and overwrites the global job priority configuration.
The attack requires user interaction, as reflected in the CVSS vector component UI:R. The impact is limited to integrity of the priority configuration, with no direct confidentiality or availability impact on the underlying Jenkins controller. The EPSS score of 0.109% reflects low predicted exploitation activity.
Root Cause
The root cause is missing CSRF protection on the request handler that updates global job priority configuration. The plugin accepts state-changing requests without validating an anti-forgery token, violating standard Jenkins security guidance for protecting POST endpoints.
Attack Vector
The attack vector is network-based and requires social engineering. An attacker crafts a malicious HTML page containing an auto-submitting form pointed at the vulnerable Priority Sorter Plugin endpoint. The attacker delivers the link through phishing, a watering-hole site, or any channel that lures the target into clicking. The victim must be authenticated to Jenkins at the time of the visit for the forged request to succeed.
No verified public proof-of-concept code is available. See the Jenkins Security Advisory SECURITY-3769 for additional technical detail.
Detection Methods for CVE-2026-57290
Indicators of Compromise
- Unexpected modifications to the global job priority configuration in Jenkins audit logs
- HTTP POST requests to Priority Sorter Plugin configuration endpoints originating with Referer headers pointing to external domains
- Configuration changes outside normal administrative change windows
- Build queue ordering anomalies that do not match documented priority policies
Detection Strategies
- Enable and review Jenkins audit logging through the Audit Trail Plugin to capture configuration changes
- Inspect web server access logs for requests to Priority Sorter endpoints lacking expected CSRF crumb parameters
- Correlate authenticated user sessions with outbound browsing activity to suspicious domains immediately before configuration changes
- Track plugin version inventory across Jenkins controllers to identify unpatched instances
Monitoring Recommendations
- Forward Jenkins controller logs to a centralized SIEM or data lake for cross-correlation with browser proxy telemetry
- Alert on any modification to global Priority Sorter configuration items, especially outside change-management windows
- Monitor for HTTP requests to Jenkins endpoints with unusual Origin or Referer headers
- Baseline build queue priority distribution and alert on statistical deviations
How to Mitigate CVE-2026-57290
Immediate Actions Required
- Inventory all Jenkins controllers and identify instances running Priority Sorter Plugin version 936.v2c01c6b_84449 or earlier
- Update the Priority Sorter Plugin to a fixed release as published in Jenkins Security Advisory SECURITY-3769
- Verify that Jenkins CSRF protection is globally enabled under Manage Jenkins > Security
- Review recent changes to global job priority configuration and revert any unauthorized modifications
Patch Information
Jenkins maintainers addressed the issue through a plugin update referenced in advisory SECURITY-3769. The fix introduces CSRF protection on the affected request handler, requiring a valid crumb token for state-changing operations. Administrators should consult the advisory for the specific fixed version number and apply the update through the Jenkins plugin manager.
Workarounds
- Restrict access to the Jenkins controller to trusted networks using firewall or reverse proxy controls until the patch is applied
- Require administrators to use a dedicated browser profile or separate browser for Jenkins sessions to limit CSRF exposure
- Reduce the number of accounts with permissions to modify global Priority Sorter configuration
- Train Jenkins users to log out of administrative sessions when not actively performing administrative work
# Verify installed Priority Sorter Plugin version via Jenkins CLI
java -jar jenkins-cli.jar -s https://jenkins.example.com/ \
list-plugins | grep priority-sorter
# Confirm global CSRF protection is enabled
curl -s -u "$USER:$TOKEN" \
https://jenkins.example.com/crumbIssuer/api/json
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

