CVE-2026-10276: Jenkins-server-mcp SSRF Vulnerability (0.1.0)
A server-side request forgery (SSRF) vulnerability exists in Jenkins-server-mcp version 0.1.0, a Jenkins integration tool. An authenticated attacker can manipulate the jobPath parameter in build status, log retrieval, or build trigger operations to make the server issue malicious requests to internal or external systems. The vulnerability requires valid login credentials but no user interaction, and the exploit code has already been made public.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-918
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in hekmon8 Jenkins-server-mcp 0.1.0. This vulnerability affects the function jobPath of the file src/index.ts of the component get_build_status/get_build_log/trigger_build. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10276 is a server-side request forgery (CWE-918) in the jobPath function within src/index.ts of Jenkins-server-mcp 0.1.0. The vulnerability affects three API endpoints: get_build_status, get_build_log, and trigger_build. By crafting a malicious jobPath parameter, an authenticated user can cause the server to make arbitrary HTTP requests on their behalf. The CVSS 3.1 score of 6.3 (MEDIUM) reflects the requirement for prior authentication (PR:L), though the attack has no network or user interaction barriers once authenticated. Public disclosure of the exploit means attack complexity is low (AC:L).
Business impact
Organizations using Jenkins-server-mcp 0.1.0 face risk of internal network reconnaissance, credential harvesting, and lateral movement if an attacker gains Jenkins credentials or if internal users abuse the feature. An attacker could probe internal services, exfiltrate data from internal APIs, or trigger actions on third-party systems masquerading as the Jenkins server. The impact is confined to confidentiality, integrity, and availability of connected systems—not direct system compromise—but can enable broader infrastructure attacks.
Affected systems
Jenkins-server-mcp version 0.1.0 is the sole confirmed affected version. This is a specialized Jenkins integration component, likely used in CI/CD pipelines or automation frameworks that rely on Jenkins APIs. Deployments are likely concentrated among development and DevOps teams. The vendors_products field is empty, indicating this is a third-party or community tool rather than a vendor-managed product.
Exploitability
The vulnerability is exploitable with a low barrier to entry: it requires only valid Jenkins credentials and standard HTTP requests. Public exploit disclosure accelerates risk; proof-of-concept code is available. However, the requirement for authentication prevents anonymous exploitation. The practical threat level depends on credential hygiene and access controls in your Jenkins environment.
Remediation
Immediate action: audit Jenkins-server-mcp 0.1.0 deployments and restrict access to trusted users only. The project maintainer has not yet released a patch despite early notification. Monitor the project repository for updates; if no patch becomes available within a reasonable timeframe, consider forking the code to apply a fix, or migrate to an alternative Jenkins integration tool. Long-term: implement network segmentation to limit the impact of SSRF attacks, and enforce strict outbound request policies on Jenkins server processes.
Patch guidance
As of the modification date (June 17, 2026), no official patch version has been confirmed released. Verify the Jenkins-server-mcp GitHub repository or package registry for any updates. If upgrading past 0.1.0, validate that the jobPath parameter is properly sanitized and validated against an allowlist of permitted Jenkins paths. If no patch is available, apply a Web Application Firewall rule to restrict outbound requests from the Jenkins server or implement reverse proxy controls to block SSRF attempts.
Detection guidance
Monitor Jenkins logs for unusual API requests to get_build_status, get_build_log, or trigger_build endpoints with suspicious jobPath parameters (e.g., containing http://, localhost, or internal IP addresses). Track outbound HTTP(S) connections from the Jenkins server to non-whitelisted destinations. Inspect authentication logs for credential access patterns that may indicate compromised accounts. Network intrusion detection systems should flag outbound requests from Jenkins to internal network ranges or sensitive external services.
Why prioritize this
Although rated MEDIUM (6.3), this vulnerability merits prompt attention because: (1) exploit code is public, lowering attack friction; (2) it enables reconnaissance and lateral movement in CI/CD environments, which are high-value targets; (3) the maintainer's non-response suggests no timely patch may be forthcoming; and (4) Jenkins credentials are often long-lived and shared across teams. Organizations should prioritize patching or alternative remediation if Jenkins-server-mcp is in active use.
Risk score, explained
CVSS 3.1 assigns a score of 6.3 (MEDIUM) based on: Network attack vector (AV:N), low attack complexity (AC:L, reflecting public exploit availability), low privileges required (PR:L, standard user credentials), no user interaction (UI:N), and impacts limited to the connected services rather than the Jenkins server itself (S:U). The score does not account for the upstream value of CI/CD environments or the potential for lateral movement, which may elevate organizational risk above the base CVSS rating.
Frequently asked questions
Do we need credentials to exploit this vulnerability?
Yes. The vulnerability requires valid Jenkins credentials (PR:L in the CVSS vector). However, if your Jenkins instance permits user self-registration or uses shared service accounts, the barrier to entry is lower. Review your access controls.
What can an attacker actually do with this vulnerability?
An authenticated attacker can force the Jenkins server to make HTTP requests to any destination they specify by manipulating the jobPath parameter. This enables probing internal networks, stealing data from internal APIs, triggering webhooks on external services, or launching further attacks. They cannot directly execute code on the Jenkins server itself.
Is there a patch available?
As of June 2026, the maintainer has not released a patch despite early notification. Check the project repository regularly. If no patch emerges, consider code review and internal patching, network isolation, or migration to an alternative tool.
How should we prioritize this against other vulnerabilities?
If Jenkins-server-mcp 0.1.0 is in production, prioritize it for remediation planning within 30 days due to public exploit availability and the high value of CI/CD infrastructure. If the tool is not in active use, deprioritize in favor of vulnerabilities affecting your primary attack surface.
This analysis is provided for informational purposes and does not constitute professional security advice. The vulnerability details, CVSS score, and affected versions are based on public disclosures as of June 2026. Organizations should conduct their own risk assessment, verify patch availability with the vendor or project maintainer, and test any remediation in a non-production environment before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence and assumes no liability for decisions made in reliance upon it. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10052MEDIUMQuay SSRF in LDAP/SMTP Validation—Internal Network Reconnaissance Risk
- CVE-2026-10177MEDIUMSSRF in Aider-AI Aider 0.86.3 AWS Metadata Endpoint
- CVE-2026-10239MEDIUMJeecgBoot Server-Side Request Forgery (SSRF) in Word Editing Module
- CVE-2026-10240MEDIUMJeecgBoot SSRF Vulnerability in /airag/airagModel/test Endpoint
- CVE-2026-10241MEDIUMJimuReport SSRF in File Download Function – Patch to 3.9.2
- CVE-2026-10274MEDIUMServer-Side Request Forgery in aem-mcp-server
- CVE-2026-10517MEDIUMClair SSRF Vulnerability – Unfiltered HTTP Requests Leak Metadata
- CVE-2026-10581MEDIUMDedeCMS 5.7.88 SSRF Vulnerability in Download Function