MEDIUM 4.3

CVE-2026-53440: Jenkins Open Redirect Phishing Vulnerability (CVSS 4.3)

Jenkins versions 2.567 and earlier (LTS 2.555.2 and earlier) contain a flaw in their "Delegate to servlet container" security realm that fails to validate redirect destinations after user login. An attacker can craft a malicious link that redirects authenticated users to an attacker-controlled website, enabling phishing attacks that steal credentials or distribute malware while appearing to come from a legitimate Jenkins instance.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-601
Affected products
2 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in Jenkins' handling of the "from" parameter within the servlet container delegation security realm. When users authenticate via this realm, the application does not properly sanitize or validate the redirect target before performing a post-login redirect. This open redirect (CWE-601) allows attackers to supply arbitrary URLs that will be followed by authenticated users, creating a trusted-origin phishing vector. The issue affects Jenkins 2.567 and all earlier versions, as well as LTS releases up to 2.555.2.

Business impact

Organizations using Jenkins for CI/CD pipeline management face elevated phishing risk targeting their development and operations staff. Compromised Jenkins credentials could lead to unauthorized pipeline execution, artifact tampering, or lateral movement into connected systems. The attack requires user interaction but exploits the inherent trust users place in post-login redirects from their own authentication system, making it particularly effective in social engineering campaigns.

Affected systems

All Jenkins instances running version 2.567 or earlier are vulnerable, including users of the LTS release stream (2.555.2 and earlier). The vulnerability applies specifically when using the "Delegate to servlet container" security realm configuration. Organizations using alternative authentication backends (LDAP, AD, or other security realms) are not affected by this particular flaw.

Exploitability

The attack has a low barrier to entry: an attacker needs only to craft a specially-formed Jenkins login URL containing a malicious "from" parameter and distribute it through social engineering. The CVSS score of 4.3 (Medium) reflects that exploitation requires user interaction and causes integrity impact only (no confidentiality or availability loss). However, the low technical complexity and ubiquity of Jenkins in development environments means this could see widespread exploitation if actively weaponized.

Remediation

Jenkins administrators should upgrade to patched releases as soon as they become available. Verify against the official Jenkins security advisory for the specific patched version numbers for both the main release line and LTS. As an interim mitigation, restrict external access to Jenkins login pages, enforce multi-factor authentication to reduce phishing effectiveness, and educate users to verify redirect destinations match expected Jenkins infrastructure before entering credentials.

Patch guidance

Monitor the Jenkins project security advisories for release announcements. Patched versions will be released for both the main release line (above 2.567) and the LTS track (above 2.555.2). Apply updates during your standard maintenance windows, prioritizing systems with public internet exposure or high-value CI/CD responsibilities. Test patched versions in a staging environment to confirm compatibility with your existing plugins and workflows before production deployment.

Detection guidance

Monitor Jenkins access logs for the "from" parameter containing non-local domains or suspicious hostnames. Alert on authentication events followed by redirects to external URLs. Review proxy or WAF logs for POST requests to Jenkins login endpoints with unusual redirect targets. Track which Jenkins security realm configurations are in use across your infrastructure to identify instances using the vulnerable "Delegate to servlet container" setting. Implement network segmentation to limit Jenkins' ability to redirect users to arbitrary external sites.

Why prioritize this

This vulnerability merits prompt attention despite its Medium CVSS score because it directly targets user trust in internal authentication systems. Jenkins instances exposed to the internet or used by numerous developers should be patched first. Organizations in regulated industries or with strict security postures should prioritize this to maintain authentication integrity and reduce phishing surface area. The low attack complexity and reliance on social engineering rather than technical sophistication make it a realistic threat in targeted campaigns.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects an open redirect with user interaction required (UI:R) and integrity impact only (I:L). The score appropriately excludes confidentiality and availability losses because the vulnerability enables phishing rather than direct data theft or service disruption. However, the contextual risk is elevated for organizations where Jenkins operators have elevated privileges, where phishing success could cascade into broader system compromise. The lack of KEV designation indicates this is not yet observed in active, widespread exploitation, providing a window for proactive patching.

Frequently asked questions

Do all Jenkins security realms have this vulnerability?

No. The vulnerability is specific to the "Delegate to servlet container" security realm. Jenkins instances using LDAP, Active Directory, Okta, or other authentication backends are not affected by this particular flaw. Check your Jenkins configuration to verify which security realm you are using.

Can an attacker exploit this without user interaction?

No. The attacker must trick a user into clicking a crafted link containing the malicious "from" parameter. The redirect occurs only after the user has successfully authenticated, so phishing success depends on social engineering. This is why user awareness training complements technical patches.

What should we do if we cannot patch immediately?

Implement defense-in-depth: enforce multi-factor authentication to reduce phishing effectiveness, restrict Jenkins web access to internal networks only, monitor and alert on unusual redirect targets in access logs, and educate users to verify they are logging into legitimate Jenkins infrastructure before entering credentials.

Does this vulnerability affect Jenkins agents or only the controller?

This applies to the Jenkins controller's authentication and login redirect functionality. Jenkins agents do not have web-based login interfaces and are therefore not affected by this specific open redirect vulnerability.

This analysis is based on vulnerability data available as of 2026-06-17. Specific patch version numbers, KEV inclusion status, and technical details should be verified against official Jenkins security advisories at jenkins.io/security. This vulnerability analysis does not constitute security advice; organizations should conduct their own risk assessment based on their specific Jenkins deployments, configurations, and threat models. No exploit code or proof-of-concept details are provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).