CVE-2026-53438: Jenkins Permission Bypass Allows Unauthorized Queue Cancellation
Jenkins versions 2.567 and earlier (or LTS 2.555.2 and earlier) contain a permission bypass flaw that allows authenticated users holding the Item/Cancel permission to cancel build queue items without requiring Item/Read permission. This means an attacker with limited cancellation rights can disrupt builds they shouldn't be able to view or access, effectively using one permission to circumvent another. The vulnerability is not actively exploited in the wild and requires authenticated access, making it a moderate risk in most deployments.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-862
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-53438 is a missing authorization check (CWE-862) in Jenkins that fails to validate Item/Read permission when processing queue cancellation requests. The vulnerability affects Jenkins versions up to 2.567 (main release line) and 2.555.2 (LTS line). An attacker with Item/Cancel permission but without Item/Read permission can send API or UI requests to cancel arbitrary queue items, bypassing the intended permission hierarchy. The CVSS 3.1 score of 4.3 (MEDIUM) reflects low attack complexity and no user interaction required, though impact is limited to integrity (ability to cancel jobs, not access sensitive data or execute code).
Business impact
Organizations running Jenkins as a CI/CD orchestration platform should assess whether hostile or semi-trusted users hold Item/Cancel permission without Item/Read permission. The primary risk is job queue disruption—attackers could cancel critical builds, causing pipeline delays and potential deployment failures. In multi-tenant or shared Jenkins environments, this becomes a denial-of-service vector against team workflows. The impact is operational rather than data-compromising, but consistent cancellation attacks could hamper release cycles and testing velocity.
Affected systems
Jenkins open-source (versions 2.567 and earlier) and Jenkins LTS (versions 2.555.2 and earlier) are affected. Organizations should verify their installed version via Manage Jenkins > System Information. Any deployment offering Item/Cancel permission to users (common in role-based access control setups) is in scope. Jenkins on any platform (on-premises, cloud-hosted, containerized) is vulnerable if running an affected version.
Exploitability
Exploitation requires authenticated access with Item/Cancel permission—an attacker cannot exploit this from an unauthenticated state. Given that Item/Cancel is a narrow permission (typically granted to build operators or CI engineers), the attack surface is constrained to insider or compromised-credential scenarios. No known public exploits exist. The attack is trivial to execute once permissions are present (a single API call or UI button click), but initial access barriers limit widespread abuse. CVSS vector (PR:L) reflects the low privilege requirement; this is not a critical remote code execution or privilege escalation vulnerability.
Remediation
Upgrade Jenkins to a patched version released after June 10, 2026. Check the official Jenkins security advisory for specific patch versions (2.568 or later for the main release line, and the corresponding LTS update). If upgrading is not immediately feasible, restrict Item/Cancel permission to users who also have Item/Read permission through Jenkins' built-in authorization strategy (e.g., matrix-based security or role-strategy plugin). Audit existing permissions and remove Item/Cancel from users who should not view jobs.
Patch guidance
Jenkins maintainers have issued fixes addressing the permission check. Administrators should verify the patched version against the official Jenkins security advisory (https://www.jenkins.io/security/advisory/) to confirm the exact version numbers for both the main and LTS release lines. Plan upgrades during maintenance windows to avoid build queue disruption. After patching, test that users with Item/Cancel permission can still cancel their own builds while being blocked from canceling builds they lack Item/Read permission for. Monitor Jenkins logs for any cancellation attempts post-patch to verify new enforcement.
Detection guidance
Monitor Jenkins audit logs and API request logs for unusual queue cancellation activity, especially from users with limited permissions. Alert on Item/Cancel API calls (e.g., POST /queue/item/<id>/cancelQueue) from accounts that lack Item/Read on the targeted jobs. Review job permission assignments in Jenkins configuration to identify users with Item/Cancel but not Item/Read (likely an unintended configuration). Consider deploying a Jenkins security plugin or SIEM integration to correlate permission assignments with observed API calls and flag anomalies.
Why prioritize this
This vulnerability merits medium priority: it requires authentication, has no active KEV or ransomware association, and does not enable data theft or remote code execution. However, in shared or multi-tenant Jenkins environments, it should be prioritized above low-risk issues because it enables targeted job disruption. Organizations with strict access controls isolating Item/Cancel from Item/Read can defer patching briefly; those with overlapping or overly broad permissions should patch sooner. The moderate CVSS score (4.3) aligns with operational impact rather than critical risk.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects: (1) Network-accessible attack vector (AV:N), (2) Low attack complexity (AC:L—no special conditions needed), (3) Low privileges required (PR:L—must have Item/Cancel permission), (4) No user interaction (UI:N), (5) Unchanged scope (S:U), (6) No confidentiality impact (C:N), and (7) Low integrity impact (I:L—can cancel jobs but not corrupt data or gain elevated access). The score does not account for business context (disruption to CI/CD pipelines can be material) or environmental factors; organizations should consider increasing internal risk ratings if Jenkins controls critical deployments.
Frequently asked questions
Do we need to patch immediately if we use Jenkins only for internal, trusted users?
If all Jenkins users are trusted employees and Item/Cancel is only granted to senior engineers with Item/Read permission, your risk is lower. However, you should still plan a patch within your normal maintenance cycle (e.g., next scheduled upgrade window within 30 days) because permission models can drift over time and compromised credentials are always a concern.
Can this vulnerability be exploited remotely without any Jenkins account?
No. CVE-2026-53438 requires valid Jenkins authentication and the specific Item/Cancel permission. An attacker cannot exploit it anonymously or with a standard read-only Jenkins account. It is not a zero-day or unauthenticated remote code execution vulnerability.
How do we know if our Jenkins instance is vulnerable?
Check your installed Jenkins version in Manage Jenkins > System Information. If you are running Jenkins 2.567 or earlier (main release) or 2.555.2 or earlier (LTS), you are vulnerable. Review your authorization strategy (e.g., Matrix Authorization, Role Strategy plugin) to see which users hold Item/Cancel; cross-reference against their Item/Read permissions. Any mismatch indicates exposure.
If we patch, will our build queue be affected?
Patching itself does not interrupt running builds or clear the queue. You should perform the upgrade during a scheduled maintenance window when new job submissions can be paused. After patching, running builds will continue, and the queue will resume normally once Jenkins restarts and permissions are re-enforced.
This analysis is based on publicly available information about CVE-2026-53438 and the vendor security advisory as of the publication date. SEC.co makes no warranties regarding the completeness or accuracy of patch version numbers or availability dates; always verify against the official Jenkins security advisory (https://www.jenkins.io/security/) before deploying patches. Real-world impact varies by deployment configuration, access control policies, and job criticality. This explainer is for informational purposes and does not constitute legal or compliance advice. Organizations must conduct their own risk assessments and testing before patching production systems. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-53439MEDIUMJenkins Permission Bypass Enables User Enumeration
- CVE-2025-12714MEDIUMRank Math SEO Plugin Unauthenticated Metadata Injection Vulnerability
- CVE-2025-52766MEDIUMMissing Authorization in Printeers Print & Ship – CVSS 6.5
- CVE-2025-53302MEDIUMMissing Authorization in Anton Shevchuk Constructor Framework
- CVE-2025-53346MEDIUMMissing Authorization in ThimPress Thim Core 2.3.3
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10787MEDIUMMissing Authorization in Devolutions Server Deleted User Groups API
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP