CVE-2026-57306 Overview
CVE-2026-57306 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Zowe zDevOps Plugin version 1.1.3.50.ve350c9b_450b_1 and earlier. The flaw allows attackers to force the Jenkins controller to connect to an attacker-specified URL using credentials IDs obtained through other means. A successful attack captures credentials stored in Jenkins and sends them to the attacker-controlled endpoint. The issue is tracked under CWE-352: Cross-Site Request Forgery and disclosed in Jenkins Security Advisory SECURITY-3747.
Critical Impact
Authenticated attackers can exfiltrate stored Jenkins credentials by tricking authorized users into triggering malicious HTTP requests against the Zowe zDevOps Plugin.
Affected Products
- Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier
- Jenkins controllers with the Zowe zDevOps Plugin installed
- Pipelines referencing credentials managed by the plugin
Discovery Timeline
- 2026-06-24 - Jenkins publishes Security Advisory SECURITY-3747
- 2026-06-24 - CVE-2026-57306 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-57306
Vulnerability Analysis
The Zowe zDevOps Plugin exposes an HTTP endpoint that accepts a target URL and a credentials ID, then performs a connection test on behalf of the requester. The endpoint does not require POST requests and does not enforce CSRF protection. An attacker who knows or guesses a valid credentials ID can craft a request that forces Jenkins to authenticate to an attacker-controlled server. The server records the credentials transmitted during the connection attempt, leaking secrets stored inside Jenkins. The attack succeeds at low complexity once a victim with appropriate Jenkins permissions visits an attacker-prepared page or follows a malicious link.
Root Cause
The root cause is missing CSRF protection on a state-changing form submission in the plugin. Jenkins requires @POST or RequirePOST annotations and crumb validation on endpoints that perform sensitive operations. The vulnerable connection-test handler accepts GET requests and omits crumb verification, allowing cross-origin requests to invoke it. Combined with the plugin accepting a user-supplied URL and credentials ID, the missing protection enables credential exfiltration as described in [CWE-352].
Attack Vector
An attacker first obtains a valid credentials ID, often through information disclosure flaws, log inspection, or pipeline script review. The attacker then hosts a malicious page containing an image tag, fetch call, or auto-submitting form that targets the vulnerable plugin endpoint with the chosen credentials ID and a URL pointing to attacker-controlled infrastructure. When a Jenkins user with sufficient privileges loads the page, the browser sends the request with session cookies. The Jenkins controller resolves the credentials and transmits them to the attacker endpoint, completing the capture. Technical specifics are documented in Jenkins Security Advisory SECURITY-3747.
Detection Methods for CVE-2026-57306
Indicators of Compromise
- Outbound HTTP or HTTPS connections from the Jenkins controller to unexpected external hosts originating from the Zowe zDevOps Plugin.
- Jenkins access logs showing GET requests to Zowe zDevOps connection-test descriptor URLs with credentialsId parameters.
- Audit log entries referencing credentials IDs accessed outside of normal pipeline execution windows.
Detection Strategies
- Inspect the Jenkins request log for descriptor endpoint hits under /descriptorByName/ paths belonging to the Zowe zDevOps Plugin lacking CSRF crumb headers.
- Correlate plugin invocations with referrer headers pointing to untrusted external domains.
- Alert on credential usage by user sessions rather than automated build agents.
Monitoring Recommendations
- Forward Jenkins controller logs and outbound proxy logs to a centralized SIEM for correlation.
- Baseline expected outbound destinations for the Jenkins controller and alert on deviations.
- Monitor for plugin updates and validate that the installed version is not within the vulnerable range.
How to Mitigate CVE-2026-57306
Immediate Actions Required
- Upgrade the Jenkins Zowe zDevOps Plugin to a version newer than 1.1.3.50.ve350c9b_450b_1 once a fixed release is available.
- Restrict the Overall/Read and job configuration permissions to trusted users to limit access to credentials IDs.
- Rotate any credentials managed through the Zowe zDevOps Plugin that may have been exposed.
Patch Information
Refer to Jenkins Security Advisory SECURITY-3747 for the current patch status. At the time of advisory publication, administrators should consult the advisory page for the fixed version number and upgrade guidance.
Workarounds
- Disable or uninstall the Zowe zDevOps Plugin until a patched version is deployed.
- Enforce egress filtering on the Jenkins controller to block outbound connections to untrusted destinations.
- Require administrators to confirm logout from Jenkins before browsing untrusted sites and enforce short session lifetimes.
# List installed plugin version on the Jenkins controller
jenkins-cli -s "$JENKINS_URL" list-plugins | grep -i zowe
# Disable the plugin pending patch
jenkins-cli -s "$JENKINS_URL" disable-plugin zowe-zdevops
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

