CVE-2026-57294 Overview
CVE-2026-57294 is a missing authorization vulnerability [CWE-862] in the Jenkins EC2 Fleet Plugin. Versions 4.2.3.539.v8fedff2a_81c3 and earlier fail to enforce permission checks on a connection-test endpoint. Attackers holding only Overall/Read permission can force the plugin to connect to an attacker-controlled URL using credentials IDs obtained through other means. The resulting request captures AWS credentials stored in Jenkins and forwards them to the attacker. The issue is tracked as Jenkins SECURITY-3774 and primarily affects confidentiality and integrity of cloud credentials managed through Jenkins.
Critical Impact
Authenticated attackers with low-privilege Jenkins access can exfiltrate stored AWS credentials by abusing the plugin's connection-test functionality.
Affected Products
- Jenkins EC2 Fleet Plugin version 4.2.3.539.v8fedff2a_81c3
- Jenkins EC2 Fleet Plugin versions earlier than 4.2.3.539.v8fedff2a_81c3
- Jenkins controllers using the EC2 Fleet Plugin to manage AWS Auto Scaling agents
Discovery Timeline
- 2026-06-24 - Jenkins publishes Security Advisory SECURITY-3774
- 2026-06-24 - CVE-2026-57294 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-57294
Vulnerability Analysis
The Jenkins EC2 Fleet Plugin exposes form-validation or connection-test endpoints used to verify AWS connectivity before saving cloud configuration. These endpoints accept a target URL and a credentials identifier as parameters. In affected versions, the plugin does not validate that the requesting user holds administrative permissions before performing the test connection. Any authenticated user with Overall/Read can invoke the endpoint, supply an attacker-controlled URL, and pass the identifier of any credentials object stored in Jenkins. The plugin retrieves the AWS access key and secret, then transmits them as part of the outbound request to the attacker's endpoint.
Root Cause
The root cause is a missing permission check [CWE-862] on a form-submission handler. Jenkins guidance requires endpoints that accept credentials IDs to enforce Overall/Administer and to perform credentials lookups against the requesting user's authentication context. The EC2 Fleet Plugin omits both controls, allowing privilege boundary bypass within the Jenkins authorization model.
Attack Vector
An attacker authenticates to Jenkins with a low-privilege account that holds Overall/Read. The attacker enumerates credentials IDs through other Jenkins surfaces or guesses common identifiers. They then issue an HTTP request to the EC2 Fleet Plugin's connection-test handler, specifying their own listener URL and a target credentials ID. The Jenkins controller resolves the credentials, constructs an AWS-style request, and sends it to the attacker's server. The listener captures the AWS access key and secret in transit.
No verified public exploit code is available. Refer to the Jenkins Security Advisory SECURITY-3774 for technical specifics from the maintainers.
Detection Methods for CVE-2026-57294
Indicators of Compromise
- Outbound HTTP or HTTPS connections from the Jenkins controller to unexpected hosts originating from EC2 Fleet Plugin code paths
- Jenkins access logs showing requests to EC2 Fleet Plugin form-validation endpoints from accounts that do not normally configure cloud agents
- AWS CloudTrail entries showing API calls from previously unseen source IPs using credentials configured in Jenkins
Detection Strategies
- Audit Jenkins access.log for POST requests to EC2 Fleet Plugin doTest, doCheck, or similar descriptor endpoints from non-administrator accounts
- Correlate Jenkins controller egress traffic with the plugin's expected AWS endpoints; alert on connections to non-AWS destinations
- Monitor for AWS API activity from credentials provisioned in Jenkins where the originating IP differs from the Jenkins controller's egress address
Monitoring Recommendations
- Enable verbose Jenkins audit logging and forward logs to a centralized SIEM for retention and correlation
- Apply egress filtering on the Jenkins controller to restrict outbound HTTPS to known AWS service endpoints
- Rotate stored AWS credentials and review CloudTrail for use from unexpected source addresses
How to Mitigate CVE-2026-57294
Immediate Actions Required
- Upgrade the Jenkins EC2 Fleet Plugin to a release later than 4.2.3.539.v8fedff2a_81c3 once available from the Jenkins update center
- Restrict Overall/Read to trusted users until the patched version is installed
- Rotate all AWS credentials stored in Jenkins and review CloudTrail for evidence of misuse
Patch Information
The Jenkins project tracks the fix under advisory SECURITY-3774. Apply the plugin update through the Jenkins plugin manager. After upgrade, verify that the connection-test endpoint enforces Overall/Administer and performs credentials lookups against the requesting user.
Workarounds
- Tighten the Jenkins authorization strategy so that only administrators hold Overall/Read, removing anonymous and authenticated-user read grants
- Disable the EC2 Fleet Plugin entirely if cloud agent provisioning is not currently in use
- Apply network egress controls on the Jenkins controller to block connections to arbitrary external destinations
# Inspect installed plugin version on the Jenkins controller
jenkins-cli -s "$JENKINS_URL" list-plugins | grep ec2-fleet
# Update via Jenkins CLI once a fixed version is available
jenkins-cli -s "$JENKINS_URL" install-plugin ec2-fleet -restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

