CVE-2026-53439: Jenkins Permission Bypass Enables User Enumeration
Jenkins versions 2.567 and earlier (LTS 2.555.2 and earlier) contain a permission bypass vulnerability that allows low-privileged attackers to discover sensitive information about other users. Specifically, attackers who have been granted the basic Overall/Read permission can view other users' timezone settings and enumerate the names of views in other users' private "My Views" sections. This is an information disclosure issue that could support reconnaissance or social engineering attacks, though it does not enable direct system compromise.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-862
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views".
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-53439 stems from missing authorization checks in Jenkins REST API endpoints and web UI components that handle user profile data and view enumeration. An authenticated user with Overall/Read permission can query endpoints that should be restricted to either administrators or the owning user, bypassing the intended access control model. The vulnerability affects Jenkins 2.567 and all earlier versions, as well as LTS releases through 2.555.2. The CVSS 3.1 score of 4.3 (MEDIUM) reflects limited attack complexity and low attack scope—the threat requires valid credentials but no user interaction, and the impact is confined to confidentiality of user metadata.
Business impact
Information disclosure of this nature can enable targeted phishing, social engineering, or account enumeration attacks. Attackers could map user communities, identify high-value targets by timezone or view preferences, or gather reconnaissance data to refine targeted attacks. For organizations with sensitive Jenkins deployments or those handling regulated workloads, unauthorized information leakage may trigger compliance reporting obligations. The risk is amplified in multi-tenant Jenkins instances or those with many users across different access tiers.
Affected systems
All Jenkins releases version 2.567 and earlier are affected. Jenkins LTS users running version 2.555.2 and earlier are also vulnerable. This includes both self-managed installations and managed Jenkins services. The vulnerability requires an attacker to have valid Jenkins credentials with at minimum the Overall/Read permission, which is a low-level baseline permission often granted to broad user populations in Jenkins instances.
Exploitability
The barrier to exploitation is low. Any authenticated user with Overall/Read permission—a default permission granted during normal Jenkins onboarding—can exploit this vulnerability through standard REST API calls or web UI navigation. No special tools, complex attack chains, or user interaction are required. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild is not yet documented, though this may reflect the recent publication date.
Remediation
Upgrade Jenkins to a patched version that includes proper authorization checks on user profile and view enumeration endpoints. Verify the vendor advisory for specific patched versions (typically the next minor or patch release after 2.567 for standard releases and after 2.555.2 for LTS). As an interim control, organizations should review and restrict the Overall/Read permission to only users who genuinely require access to Jenkins browsing capabilities, and consider implementing network or proxy-level access controls if feasible.
Patch guidance
Monitor Jenkins project announcements and your instance's update notifications for releases that address CVE-2026-53439. Patched versions will enforce proper authorization on timezone and view enumeration endpoints. Test patches in a staging environment before production deployment. Jenkins supports in-place upgrades with minimal downtime using the restart-safe update mechanism. Coordinate upgrades with your change management process, noting that LTS releases are recommended for production environments due to their extended support window.
Detection guidance
Monitor Jenkins audit logs for API requests to endpoints serving user profile data (e.g., user API endpoints) or view enumeration requests that originate from users other than the profile owner or administrators. Look for unusual patterns of permission checks being bypassed or unexpected queries to /api/json or similar diagnostic endpoints. If Jenkins audit logging is not enabled, prioritize enabling it to establish a baseline before and after patching. Network-level detection is limited without endpoint visibility, as requests use normal HTTPS traffic.
Why prioritize this
Although the CVSS score is moderate (4.3), this vulnerability should be prioritized for rapid remediation in multi-user Jenkins environments. It poses a direct threat to information security posture by enabling reconnaissance and user enumeration. The ease of exploitation, combined with the likelihood that many Jenkins instances have numerous users at the Overall/Read tier, increases aggregate risk. Organizations should target patching within their standard update cycle (typically 30–60 days for MEDIUM-severity issues), but move faster if Jenkins is internet-facing or used in high-security contexts.
Risk score, explained
The CVSS 3.1 score of 4.3 (MEDIUM) reflects the following: Attack Vector is Network (AV:N), allowing remote exploitation; Attack Complexity is Low (AC:L), requiring no special conditions; Privileges Required is Low (PR:L), as the attacker needs only baseline Overall/Read permission; User Interaction is None (UI:N), eliminating social engineering vectors; Scope is Unchanged (S:U), since the vulnerability does not break security boundaries between security domains; and the impact is Confidentiality Low (C:L), with no integrity or availability impact. The score appropriately captures a low-effort, low-impact information disclosure with a broad attack surface in Jenkins ecosystems.
Frequently asked questions
Can this vulnerability allow an attacker to modify or delete other users' configurations?
No. CVE-2026-53439 is strictly an information disclosure vulnerability. It only permits reading timezone settings and view names; it does not grant write or delete permissions. Integrity and availability of Jenkins configurations remain protected.
Do I need Overall/Read permission to exploit this vulnerability?
Yes. The attacker must be an authenticated Jenkins user with at least Overall/Read permission. Users without any Jenkins credentials cannot exploit it. However, Overall/Read is a low-level permission often granted during onboarding, so the practical barrier is relatively low in many organizations.
Will this vulnerability allow attackers to access sensitive build logs or credentials stored in views?
No. The vulnerability only reveals the *names* of views in a user's "My Views" section and the user's timezone setting. It does not grant access to build artifacts, logs, credentials, or other sensitive data within those views. Further privilege escalation would be required to access that content.
How long until a patch is available?
Jenkins typically releases security patches within days to weeks of a CVE announcement. Check the Jenkins security advisory page and your instance's update notification system for availability. LTS releases may lag standard releases by a few weeks due to extended testing cycles.
This analysis is provided for informational purposes and reflects the state of publicly available information as of the publication date. All technical details, patch versions, and exploit status should be verified against the official Jenkins security advisory before taking operational action. Organizations are responsible for assessing their own exposure and implementing appropriate controls in their specific environments. SEC.co does not provide legal advice; consult your organization's security and compliance teams regarding any regulatory reporting obligations. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-53438MEDIUMJenkins Permission Bypass Allows Unauthorized Queue Cancellation
- CVE-2025-12714MEDIUMRank Math SEO Plugin Unauthenticated Metadata Injection Vulnerability
- CVE-2025-52766MEDIUMMissing Authorization in Printeers Print & Ship – CVSS 6.5
- CVE-2025-53302MEDIUMMissing Authorization in Anton Shevchuk Constructor Framework
- CVE-2025-53346MEDIUMMissing Authorization in ThimPress Thim Core 2.3.3
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10787MEDIUMMissing Authorization in Devolutions Server Deleted User Groups API
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP