CVE-2026-9674 Overview
CVE-2026-9674 is a cross-site request forgery (CSRF) vulnerability affecting the Jenkins Multijob Plugin version 662.vd2e0001f6b_b_d and earlier. The flaw allows attackers to resume failed Multijob builds by tricking authenticated Jenkins users into submitting forged requests. The vulnerability is tracked under CWE-352: Cross-Site Request Forgery and was disclosed in the Jenkins Security Advisory #SECURITY-3781.
Critical Impact
Attackers can resume failed Multijob builds without authorization by exploiting authenticated users through malicious links or pages, impacting build pipeline integrity.
Affected Products
- Jenkins Multijob Plugin version 662.vd2e0001f6b_b_d and earlier
- Jenkins installations with the Multijob Plugin enabled
- Continuous integration pipelines relying on Multijob orchestration
Discovery Timeline
- 2026-05-27 - CVE-2026-9674 published to NVD
- 2026-05-27 - Jenkins Security Advisory #SECURITY-3781 released
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-9674
Vulnerability Analysis
The vulnerability stems from missing CSRF protection on the endpoint responsible for resuming failed Multijob builds. The Jenkins Multijob Plugin orchestrates parallel and sequential job execution within Jenkins pipelines. When a Multijob build fails, the plugin exposes functionality to resume that build from the point of failure.
The affected endpoint does not require a valid CSRF crumb to process the resume action. Attackers can craft an HTML page or link that triggers the resume operation when visited by an authenticated Jenkins user. The browser submits the request along with the user's session cookies, and Jenkins executes the action on behalf of the victim.
Exploitation requires user interaction, specifically that a victim with permissions to resume Multijob builds visits an attacker-controlled resource while authenticated to Jenkins. The impact is limited to integrity of the build process, as the attack does not directly expose data or terminate services.
Root Cause
The root cause is the absence of CSRF protection on the build resume action. Jenkins provides a crumb-based CSRF defense mechanism, but the Multijob Plugin endpoint accepts state-changing requests without validating that the request originated from a legitimate Jenkins UI session.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker hosts a malicious page containing a forged request targeting the Multijob resume endpoint on the victim's Jenkins instance. When an authenticated user visits the page, their browser automatically attaches authentication cookies, allowing the resume action to execute. No privileges are required for the attacker, but the targeted user must have permission to resume Multijob builds.
Detection Methods for CVE-2026-9674
Indicators of Compromise
- Unexpected resumption of previously failed Multijob builds in Jenkins build history
- HTTP requests to Multijob resume endpoints originating from external Referer headers
- Authenticated Jenkins user sessions making state-changing requests without preceding UI navigation
- Anomalous build activity timestamps that do not correlate with scheduled jobs or user actions
Detection Strategies
- Audit Jenkins access logs for POST or GET requests to Multijob resume endpoints with off-origin Referer headers
- Correlate build resume events with user session activity to identify actions not initiated through the Jenkins UI
- Monitor for CSRF crumb validation failures and unusually high rates of Multijob endpoint access
- Review Jenkins audit trails for build state changes that lack corresponding interactive user activity
Monitoring Recommendations
- Forward Jenkins access and audit logs to a centralized logging or SIEM platform for review
- Establish baselines for normal Multijob build resume frequency and alert on deviations
- Track Referer and Origin headers on requests to Jenkins administrative endpoints
- Enable verbose logging on the Multijob Plugin during the remediation window to capture exploitation attempts
How to Mitigate CVE-2026-9674
Immediate Actions Required
- Upgrade the Jenkins Multijob Plugin to a version newer than 662.vd2e0001f6b_b_d once a patched release is available
- Review the Jenkins Security Advisory #SECURITY-3781 for current remediation guidance
- Restrict Jenkins access to trusted networks and authenticated users only
- Enforce least-privilege role assignments for users who can resume Multijob builds
Patch Information
Refer to the Jenkins Security Advisory #SECURITY-3781 for the authoritative patch version and upgrade instructions. Apply the update through the Jenkins Plugin Manager and validate the installed version after restart.
Workarounds
- Disable the Multijob Plugin until a patched version can be deployed if the functionality is not essential
- Require Jenkins users to log out of administrative sessions when not actively using the platform
- Configure browser session isolation or use dedicated browsers for Jenkins administration to limit CSRF exposure
- Ensure Jenkins CSRF protection is enabled globally under Manage Jenkins > Security settings
# Verify installed Multijob Plugin version via Jenkins CLI
java -jar jenkins-cli.jar -s https://jenkins.example.com/ list-plugins | grep jenkins-multijob-plugin
# Upgrade the plugin to the patched version
java -jar jenkins-cli.jar -s https://jenkins.example.com/ install-plugin jenkins-multijob-plugin -deploy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
