Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-57295

CVE-2026-57295: Jenkins EC2 Fleet Plugin CSRF Vulnerability

CVE-2026-57295 is a cross-site request forgery vulnerability in Jenkins EC2 Fleet Plugin that enables attackers to capture AWS credentials stored in Jenkins. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-57295 Overview

CVE-2026-57295 is a cross-site request forgery (CSRF) vulnerability affecting the Jenkins EC2 Fleet Plugin version 4.2.3.539.v8fedff2a_81c3 and earlier. The flaw allows attackers to coerce authenticated Jenkins users into triggering requests that connect to an attacker-specified URL using credentials IDs obtained through another method. Successful exploitation captures AWS credentials stored within Jenkins, exposing cloud infrastructure to unauthorized access. The vulnerability is categorized under [CWE-352] and requires low privileges to exploit over the network.

Critical Impact

Attackers can exfiltrate AWS credentials stored in Jenkins by abusing CSRF protections, enabling pivoting into AWS environments managed by the affected Jenkins instance.

Affected Products

  • Jenkins EC2 Fleet Plugin version 4.2.3.539.v8fedff2a_81c3
  • Jenkins EC2 Fleet Plugin earlier versions
  • Jenkins instances integrating EC2 Fleet for AWS-based build agents

Discovery Timeline

  • 2026-06-24 - Jenkins Security Advisory SECURITY-3774 published
  • 2026-06-24 - CVE-2026-57295 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-57295

Vulnerability Analysis

The Jenkins EC2 Fleet Plugin exposes an HTTP endpoint that initiates connections to user-supplied URLs using credentials stored in Jenkins. The endpoint does not require POST requests and lacks proper CSRF protection. An attacker who can induce an authenticated Jenkins user to visit a malicious page can trigger this endpoint with attacker-controlled parameters.

When the request executes, the plugin retrieves the specified AWS credentials from the Jenkins credentials store and uses them to authenticate against the attacker-supplied URL. The remote attacker-controlled server captures the credentials during the connection attempt, allowing extraction of AWS access keys and secret keys.

The attacker must already know valid credentials IDs, which can be obtained through complementary information disclosure vulnerabilities or insider reconnaissance. Once captured, the AWS credentials grant the attacker access to whatever AWS services and resources the original credentials were authorized to use.

Root Cause

The root cause is missing CSRF protection on a sensitive endpoint that performs outbound authenticated connections. The plugin accepts requests via HTTP GET and does not validate a Jenkins crumb token before processing the request and dereferencing stored credentials.

Attack Vector

Exploitation requires an authenticated Jenkins user with at least Overall/Read permission to visit an attacker-crafted web page. The page issues a request to the vulnerable Jenkins endpoint, supplying a target URL controlled by the attacker and a known credentials ID. Jenkins then connects to the attacker's server using the AWS credentials, exposing them in the authentication exchange.

The vulnerability mechanism is described in the Jenkins Security Advisory #SECURITY-3774. No public proof-of-concept code has been released, and the EPSS score is 0.101%.

Detection Methods for CVE-2026-57295

Indicators of Compromise

  • Unexpected outbound HTTP/HTTPS connections from the Jenkins controller to unknown external hosts
  • Jenkins audit log entries showing credentials retrieval requests from unusual referrers or session contexts
  • AWS CloudTrail entries showing API activity from IP addresses outside the expected Jenkins infrastructure
  • Use of Jenkins-stored AWS credentials from geolocations or user agents inconsistent with normal CI/CD activity

Detection Strategies

  • Review Jenkins access logs for GET requests to EC2 Fleet Plugin endpoints containing external URL parameters
  • Correlate Jenkins outbound network connections with AWS CloudTrail to identify credential misuse
  • Monitor for HTTP requests to Jenkins that originate from cross-origin referrers targeting plugin configuration endpoints
  • Enable CSRF crumb enforcement logging and alert on requests rejected for missing crumbs

Monitoring Recommendations

  • Forward Jenkins controller logs and AWS CloudTrail events into a centralized SIEM for correlation
  • Establish a baseline of expected outbound destinations from the Jenkins controller and alert on deviations
  • Track credentials usage in Jenkins through the Credentials Binding audit trail
  • Rotate and monitor AWS IAM access keys configured in Jenkins on a defined schedule

How to Mitigate CVE-2026-57295

Immediate Actions Required

  • Upgrade the Jenkins EC2 Fleet Plugin to a version later than 4.2.3.539.v8fedff2a_81c3 once released by the maintainers
  • Rotate any AWS credentials stored in Jenkins that may have been exposed to untrusted users
  • Restrict Jenkins Overall/Read permission to trusted users only
  • Enforce CSRF protection in Jenkins global security configuration if not already enabled

Patch Information

Refer to the Jenkins Security Advisory #SECURITY-3774 for the patched version and remediation guidance. At time of publication, the advisory indicates no fix is currently available; administrators should monitor the advisory for updates.

Workarounds

  • Limit network egress from the Jenkins controller using firewall rules to allow only approved AWS endpoints
  • Apply IAM least-privilege policies to AWS credentials configured in Jenkins to reduce blast radius
  • Disable or remove the EC2 Fleet Plugin if it is not actively used
  • Require Jenkins users to log out after sessions and avoid browsing untrusted sites while authenticated
bash
# Example: restrict Jenkins controller outbound traffic to AWS endpoints only
iptables -A OUTPUT -d ec2.amazonaws.com -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m owner --uid-owner jenkins -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.