MEDIUM 5.4

CVE-2026-53441: Jenkins Stored XSS in Offline Cause Configuration

Jenkins versions 2.483–2.567 and LTS 2.492.1–2.555.2 contain a stored cross-site scripting (XSS) vulnerability in how they handle user-supplied descriptions for generic offline causes. An attacker with Agent/Configure permissions can inject malicious script into the offline cause description via the POST config.xml API, and that script will execute in the browsers of other users who view the Jenkins interface. This is a classic stored XSS—the payload persists in Jenkins' configuration until removed.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
2 configuration(s)
Published / Modified
2026-06-10 / 2026-07-06

NVD description (verbatim)

Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists because Jenkins fails to properly escape user input when processing the description field of a generic offline cause through its config.xml API endpoint. An authenticated user with Agent/Configure role permissions can submit a POST request containing unescaped HTML or JavaScript in the offline cause description parameter. Jenkins stores this unescaped content in its configuration. When subsequent users access the Jenkins web interface and load pages that display this offline cause, the browser executes the attacker's injected script in their security context. The attack vector is network-based, requires low attack complexity, and depends on an authenticated user with specific permissions (Agent/Configure), and requires user interaction (the victim must view the affected interface). CWE-79 classification confirms the XSS nature of the flaw.

Business impact

A successful exploit allows an attacker to steal session cookies, modify Jenkins job configurations, create or disable jobs, steal credentials stored in Jenkins, or redirect users to malicious sites—all while appearing to come from the legitimate Jenkins interface. Since the XSS is stored, the attack affects all users who subsequently log into Jenkins and view the poisoned offline cause description. In multi-user Jenkins environments, this can compromise the integrity of CI/CD pipelines and undermine trust in automation decisions. The impact is limited to confidentiality and integrity; availability is not directly affected.

Affected systems

The vulnerability affects Jenkins 2.483 through 2.567 (inclusive) in the weekly release line, and Jenkins LTS 2.492.1 through 2.555.2 (inclusive) in the long-term support line. Organizations running any Jenkins instance within these version ranges are potentially exposed if users with Agent/Configure permissions exist and can be compromised or are malicious insiders.

Exploitability

Exploitation requires an authenticated attacker with Agent/Configure permissions. This is a meaningful privilege requirement—the attacker cannot be an unauthenticated external user. However, Agent/Configure is a relatively broad permission set that may be granted to build engineers or infrastructure operators who manage Jenkins agents. The attack requires the victim to view the Jenkins interface after the payload is injected, but this is nearly certain in an active Jenkins environment. No complex exploitation steps are required; a simple POST to config.xml with an unescaped script tag in the offline cause description is sufficient. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been publicly confirmed or formally tracked at this time.

Remediation

Upgrade to a patched version outside the affected ranges. Verify the specific patch versions available for your release line (weekly or LTS) by consulting the official Jenkins security advisory. As an interim control, restrict Agent/Configure permissions to only trusted users and monitor config.xml API access logs for suspicious POST requests containing script-like content. Review existing offline cause descriptions in your Jenkins instance for any suspicious content that may indicate prior compromise.

Patch guidance

Check the Jenkins project's official security advisories (typically published on jenkins.io/security) for the exact patched version numbers for both the weekly and LTS release lines. The vulnerability affects a wide range of versions, so do not assume that a version number slightly above 2.567 or 2.555.2 is automatically safe—always verify against the vendor advisory. Plan upgrades based on your organization's release line (weekly vs. LTS); LTS users should prioritize LTS patch releases to minimize compatibility disruption.

Detection guidance

Monitor Jenkins config.xml files and backups for embedded script tags, HTML entities, or encoded payloads in offline cause description fields. Review Jenkins audit logs (if available) for POST requests to config.xml endpoints issued by users with Agent/Configure permissions, especially requests that include suspicious parameter values. In Jenkins instances with audit plugins, look for configuration changes to offline cause settings. Network-level detection is difficult because the exploit uses legitimate Jenkins API endpoints, but anomalous changes to Jenkins configuration should trigger investigation.

Why prioritize this

Although the CVSS score is MEDIUM (5.4), this vulnerability merits attention because it affects the core integrity of Jenkins configuration management and CI/CD pipelines. The stored nature of the XSS means a single compromise can affect all subsequent users. However, the requirement for authenticated access with specific permissions limits the threat to environments where insider risk or compromised operator credentials are a concern. Organizations with strong access controls and regular user activity monitoring can deprioritize this slightly, but those with distributed Jenkins teams or public-facing Jenkins instances should prioritize patching.

Risk score, explained

The CVSS 3.1 score of 5.4 reflects a network attack vector, low attack complexity, and a requirement for authenticated access with limited privileges (Agent/Configure). The scope is changed (users outside the role can be affected), and the impact is low to moderate—confidentiality and integrity can be compromised, but availability is not directly affected. This results in a MEDIUM severity rating. The score does not account for organizational factors such as the presence of sensitive credentials in Jenkins or the criticality of CI/CD pipelines; adjust risk rating based on your environment's reliance on Jenkins for production deployments.

Frequently asked questions

Can an attacker exploit this vulnerability without Jenkins credentials?

No. The vulnerability requires an authenticated user with Agent/Configure permissions. Unauthenticated external attackers cannot exploit this directly. However, if an attacker compromises a user account with those permissions or if a malicious insider exists, the vulnerability becomes immediately exploitable.

What happens if I upgrade to a version outside the affected range?

Upgrading to a version above 2.567 (for weekly) or above 2.555.2 (for LTS) should mitigate the vulnerability, assuming the patched version addresses the input escaping issue. Always verify the specific patched version in the official Jenkins security advisory to confirm the fix is included.

Is this vulnerability already being exploited?

The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, which suggests it has not been confirmed as actively exploited at scale or weaponized in public campaigns. However, this does not mean it is not a real risk in targeted environments, especially those with known insider threats or compromised operator accounts.

If we restrict Agent/Configure permissions, are we safe?

Restricting Agent/Configure permissions significantly reduces your exposure, but it does not eliminate the risk if any users retain those permissions. Even a single privileged user who is either malicious or whose credentials are compromised can inject the XSS payload. Use this as an interim control while you plan and test your upgrade.

This analysis is based on available vulnerability data as of the modification date (2026-07-06). Specific patch version numbers, release timelines, and remediation steps should be verified against the official Jenkins security advisory on jenkins.io/security. Organizations should conduct their own risk assessment based on their Jenkins configuration, user base, and exposure to personnel with Agent/Configure permissions. This explainer does not constitute security advice and should be reviewed by your organization's security team before implementation of any remediation steps. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).