CVE-2026-53437: Jenkins Login Redirect Validation Bypass (Phishing Risk)
Jenkins versions 2.567 and earlier (LTS 2.555.2 and earlier) contain a flaw in how they validate redirect URLs after user login. An attacker can craft a malicious redirect URL that appears to point to a legitimate Jenkins instance by inserting tab or newline characters between the `//` protocol separator, causing the validation to pass. When a user clicks such a link after logging in, they may be redirected to an attacker-controlled site while believing they're staying within Jenkins, enabling credential harvesting or other phishing attacks.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-601
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-15
NVD description (verbatim)
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in Jenkins' post-login redirect validation logic (CWE-601: URL Redirection to Untrusted Site). The application fails to properly sanitize redirect parameters, specifically allowing tab (`\t`) and newline (`\n`) characters to be inserted between `//` in a URL. This permits bypass of domain validation checks that would normally reject off-site redirects. An attacker constructs a URL such as `http://jenkins.corp//\[email protected]/phish`, which passes validation but resolves to the attacker domain. The CVSS 3.1 score of 4.3 (Medium) reflects network-accessible exploitation requiring user interaction (phishing click) with no data confidentiality loss but integrity impact through credential theft.
Business impact
Phishing attacks leveraging this vulnerability can compromise user credentials of Jenkins administrators and engineers who trust login redirects as legitimate. Stolen credentials grant attackers access to Jenkins pipelines, artifact repositories, and CI/CD secrets, potentially enabling supply-chain attacks or lateral movement into build and deployment infrastructure. While individual impact is contained to credential compromise, the attack surface spans any organization where Jenkins is internet-facing or accessible via phishing links.
Affected systems
Jenkins versions 2.567 and all earlier releases are affected. Jenkins LTS (Long Term Support) releases through 2.555.2 are also vulnerable. Organizations running any version in these ranges should prioritize assessment and patching. Note that the provided data lists two Jenkins entries; verify against official Jenkins security advisories for the complete affected version matrix and any patches released post-2026-07-15.
Exploitability
Exploitation is straightforward and requires no special privileges or authentication bypass. The attacker simply crafts a malicious URL embedding whitespace characters and distributes it via phishing (email, chat, social engineering). The user must click the link after logging into Jenkins; no zero-click or network-only attack vector exists. The Medium CVSS score appropriately reflects the user-interaction requirement. No public exploit code is required; the attack is a simple URL manipulation. This vulnerability has not been flagged for inclusion in the CISA Known Exploited Vulnerabilities catalog.
Remediation
Upgrade to a patched Jenkins version that properly sanitizes or rejects whitespace characters in redirect URLs. Contact Jenkins project releases or your vendor for the specific patch version addressing CVE-2026-53437. As a temporary mitigation, restrict Jenkins to internal networks where phishing is less likely, configure URL filtering on email gateways to block suspicious Jenkins login URLs, and educate users to verify redirect destinations before entering credentials.
Patch guidance
Check the Jenkins security advisory corresponding to CVE-2026-53437 for the minimum patch version. Typically, Jenkins publishes LTS and rolling releases; verify which release line your organization uses and apply the recommended update. Test the patch in a non-production environment first to confirm compatibility with plugins and existing configurations. Organizations on LTS should prioritize updates within their LTS cycle to minimize disruption.
Detection guidance
Monitor Jenkins access logs for redirect parameters containing encoded or literal tab and newline characters (look for `%09`, `%0A`, `\t`, `\n` in URLs or logs). Implement Web Application Firewall (WAF) rules to block requests with suspicious whitespace in the `next` or `from` parameters if Jenkins exposes these directly. Correlate login events with external domain requests to identify successful phishing; users redirected off-domain immediately after login may indicate an attack. Review browser security logs and DNS queries from user workstations for unexpected domain resolutions triggered by login pages.
Why prioritize this
Despite the Medium CVSS score, this vulnerability warrants prompt patching because it enables direct credential compromise of high-privilege Jenkins users (pipeline operators, administrators) without requiring an intermediate breach. Jenkins often holds secrets and deployment keys; compromised credentials create a high-impact supply-chain risk even if the CVSS does not fully capture organizational context. Prioritize patching internet-facing Jenkins instances and those in DMZ or high-trust networks before internal-only deployments.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects: (1) Network accessibility (AV:N) and low attack complexity (AC:L) with no privilege requirement (PR:N), yielding broad reach; (2) Required user interaction (UI:R) via phishing click, limiting autonomous exploitation; (3) Integrity impact (I:L) through credential theft or session hijacking, but no confidentiality or availability loss; (4) Unchanged scope (S:U), limiting collateral blast radius. The score appropriately indicates a low-to-medium threat; organizational risk is higher due to Jenkins' role in CI/CD pipelines and secret storage.
Frequently asked questions
Can this vulnerability be exploited without tricking a user into clicking a link?
No. The attack requires user interaction—specifically, a user must click or follow a crafted redirect URL after logging into Jenkins. An attacker cannot force exploitation through network access alone.
If we run Jenkins behind a firewall or VPN, are we protected?
Network isolation significantly reduces phishing risk, but does not eliminate it. Users with remote access or those receiving phishing emails via external accounts remain vulnerable. A patch is still necessary for defense-in-depth.
What should we look for in logs to detect if an attack has occurred?
Search Jenkins access logs for redirect parameters containing tab (`%09`), newline (`%0A`), or other whitespace characters, particularly when followed by external domain names. Monitor for login events immediately followed by requests to non-Jenkins domains, which may indicate successful credential harvest.
Does this vulnerability allow attackers to read Jenkins secrets or data?
No. The vulnerability enables phishing and credential theft, not direct data exfiltration. However, stolen credentials can be used to access secrets, pipelines, and artifacts post-breach, making remediation urgent.
This analysis is based on the vulnerability description and CVSS vector published as of 2026-07-15. Specific patch versions and remediation steps must be verified against the official Jenkins security advisory. Organizations should conduct their own risk assessment and testing before applying patches. This document does not constitute professional security advice; consult your security team or vendor for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-53436MEDIUMJenkins Login Redirect Phishing Vulnerability (CVSS 4.3)
- CVE-2026-53440MEDIUMJenkins Open Redirect Phishing Vulnerability (CVSS 4.3)
- CVE-2026-10856MEDIUMMISP Dashboard URL Validation Bypass – Phishing Risk
- CVE-2026-10861MEDIUMMISP Open Redirect Vulnerability in Post-Login Flow
- CVE-2026-11477MEDIUMhsweb OAuth2 Open Redirect Vulnerability – Patch Guide
- CVE-2026-21826MEDIUMHCL Digital Experience Host Header Injection Vulnerability
- CVE-2026-28301MEDIUMOpen Redirect Vulnerability (MEDIUM CVSS 4.8)
- CVE-2026-40181MEDIUMReact Router Open Redirect Vulnerability (v6 & v7)