CVE-2026-53436: Jenkins Login Redirect Phishing Vulnerability (CVSS 4.3)
Jenkins contains a validation flaw in its login redirect mechanism that allows attackers to craft phishing URLs appearing to come from a legitimate Jenkins instance. When users log in, Jenkins is supposed to redirect them to internal pages, but the vulnerability allows attackers to redirect users to external malicious sites by exploiting how the application handles relative path segments (like `./` or `../`). An attacker would need to trick a user into clicking a specially crafted link, but the exploit itself is straightforward and doesn't require special technical skills.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-601
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-53436 is an open redirect vulnerability (CWE-601) affecting Jenkins 2.567 and earlier, and LTS releases 2.555.2 and earlier. The vulnerability stems from improper URL validation in the post-login redirect logic. Jenkins fails to properly sanitize redirect URLs that contain relative path traversal sequences, allowing an attacker to bypass the intended same-origin check. By crafting a URL with relative path components, an attacker can construct a redirect that appears to pass Jenkins' validation but ultimately directs the user to an attacker-controlled domain. The vulnerability requires user interaction (clicking a malicious link) but no authentication or special privileges.
Business impact
This vulnerability enables phishing attacks targeting Jenkins users. Attackers can create deceptive login flows that appear legitimate, potentially capturing credentials, session tokens, or sensitive information from users who believe they are interacting with their organization's Jenkins instance. In environments where Jenkins controls CI/CD pipelines, credential theft could lead to unauthorized code commits, pipeline manipulation, or lateral movement into development and production systems. The attack is particularly effective in organizations where users may be less vigilant about URL verification during routine login flows.
Affected systems
Jenkins versions 2.567 and earlier are affected, as well as Jenkins LTS versions 2.555.2 and earlier. Organizations running any release within these version ranges—whether standard or long-term support tracks—should assess their exposure. The vulnerability affects all Jenkins deployments regardless of plugins or configuration, as the flaw is in core authentication redirect logic.
Exploitability
Exploitability is moderate but practical. The attack requires no authentication, no special network access, and no server-side vulnerabilities; it is purely a client-side social engineering vector. The attacker simply needs to distribute a specially crafted URL (via email, chat, forums, etc.) to target Jenkins users. Success depends on user interaction and the attacker's ability to create a convincing phishing page or credential harvesting endpoint. The relative low CVSS score (4.3) reflects the requirement for user interaction, but the simplicity of the attack and high success rate in real-world phishing scenarios should not be underestimated.
Remediation
Upgrade Jenkins to a patched version that properly validates redirect URLs. Verify the exact patch version by consulting the official Jenkins security advisory, as the ground-truth source indicates versions later than 2.567 (standard) and 2.555.2 (LTS) contain the fix. Organizations unable to patch immediately should implement compensating controls: restrict Jenkins network access to trusted internal networks, educate users to verify Jenkins URLs before entering credentials, and deploy email filtering to block phishing URLs. Consider implementing single sign-on (SSO) with strict redirect validation at the identity provider level.
Patch guidance
Apply the latest available Jenkins update for your release track (standard or LTS). Standard track users should upgrade to a version later than 2.567; LTS users should upgrade to a version later than 2.555.2. Verify exact patch versions against the official Jenkins security advisory before deploying. Test patches in a non-production environment first to ensure compatibility with existing plugins and workflows. Plan the upgrade during a maintenance window to minimize disruption to CI/CD pipelines. After upgrading, confirm the fix by reviewing release notes and testing redirect behavior with malicious URLs.
Detection guidance
Monitor Jenkins logs for redirect requests containing relative path sequences (`./` or `../`) in the redirect parameter. Inspect access logs for requests that appear to be login flows but redirect to external domains. Implement network monitoring to detect outbound connections from Jenkins to unexpected external hosts immediately following login activity. Review Jenkins authentication logs for patterns consistent with credential harvesting (multiple failed logins followed by successful login from unusual locations). Deploy email security controls to block distribution of known malicious Jenkins login URLs. Consider implementing HTTP Strict-Transport-Security (HSTS) headers to prevent downgrade attacks in conjunction with this vulnerability.
Why prioritize this
While the CVSS score is medium (4.3), this vulnerability should be prioritized for remediation due to its direct threat to user credentials and potential for supply chain compromise via CI/CD pipeline manipulation. Phishing attacks are among the most effective attack vectors, and the simplicity of exploitation combined with the critical nature of Jenkins in development environments elevates real-world risk. Organizations should treat this as a priority patch, particularly if Jenkins is internet-facing or accessible to external users.
Risk score, explained
The CVSS 3.1 score of 4.3 (MEDIUM) reflects a network-accessible vulnerability requiring user interaction with low attack complexity and no special privileges. The score appropriately captures the technical attack surface, but the business context—the strategic importance of Jenkins in CI/CD and the practical effectiveness of phishing attacks—may warrant higher risk prioritization in your organization's threat model. The lack of KEV (Known Exploited Vulnerability) designation suggests active exploitation has not yet been publicly documented, providing a window for proactive patching before widespread abuse.
Frequently asked questions
Can this vulnerability be exploited without user interaction?
No. The attacker must trick a user into clicking a malicious link or visiting a crafted URL. Jenkins itself does not automatically redirect users to external sites. However, users often fail to scrutinize URLs during routine login, making this a highly effective social engineering vector.
Does this vulnerability allow code execution or data exfiltration?
No direct code execution or data exfiltration. The vulnerability is limited to redirecting users away from Jenkins after login. However, the redirect can point to a phishing site designed to steal credentials or session tokens, which can then be used to compromise Jenkins and downstream systems.
What relative path sequences trigger the vulnerability?
The vulnerability is triggered by relative path traversal sequences such as `./` and `../` embedded in the redirect URL parameter. These sequences allow the attacker to bypass simple same-origin validation checks, making the redirect appear legitimate to Jenkins while ultimately pointing to an external domain.
If we restrict Jenkins to internal networks only, are we safe?
Network restriction reduces exposure to external attackers but does not eliminate the vulnerability. Insider threats, compromised internal accounts, or malware on internal machines could still exploit this flaw. Patching remains the primary mitigation; network restriction provides defense-in-depth.
This analysis is provided for informational purposes and reflects the state of vulnerability information as of the publication date. Security landscapes evolve rapidly; verify all technical details, patch versions, and affected product versions against official vendor advisories before making deployment decisions. This document does not constitute legal, compliance, or professional security advice. Organizations should engage qualified security professionals to assess risk and implement appropriate mitigations for their specific environment. No exploit code, proof-of-concept tools, or weaponized attack methods are provided or endorsed by this analysis. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-53437MEDIUMJenkins Login Redirect Validation Bypass (Phishing Risk)
- CVE-2026-53440MEDIUMJenkins Open Redirect Phishing Vulnerability (CVSS 4.3)
- CVE-2026-10856MEDIUMMISP Dashboard URL Validation Bypass – Phishing Risk
- CVE-2026-10861MEDIUMMISP Open Redirect Vulnerability in Post-Login Flow
- CVE-2026-11477MEDIUMhsweb OAuth2 Open Redirect Vulnerability – Patch Guide
- CVE-2026-21826MEDIUMHCL Digital Experience Host Header Injection Vulnerability
- CVE-2026-28301MEDIUMOpen Redirect Vulnerability (MEDIUM CVSS 4.8)
- CVE-2026-40181MEDIUMReact Router Open Redirect Vulnerability (v6 & v7)