MEDIUM 5.3

CVE-2026-53442: Jenkins Unencrypted Credential Storage in Job Configurations

Jenkins fails to encrypt sensitive credentials when they are submitted via POST requests to update job configurations. Instead of storing these secrets securely, Jenkins saves them in plain text within job config.xml files on the controller. Any user with permission to read job details or anyone with file system access to the Jenkins controller can view these unencrypted secrets, creating a path for credential theft.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-311
Affected products
2 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-53442 is an information disclosure vulnerability in Jenkins 2.567 and earlier (LTS 2.555.2 and earlier) affecting credential handling during configuration updates. When secrets are submitted through POST requests to update job configurations, Jenkins does not apply encryption before persisting the data to disk. The plaintext secrets are stored in job config.xml files on the controller filesystem. The vulnerability stems from inadequate protection of sensitive data at rest (CWE-311) and is exploitable over the network without authentication or user interaction, though discovering and accessing the unencrypted secrets requires either Item/Extended Read permission on Jenkins or direct filesystem access.

Business impact

Organizations running affected Jenkins instances face credential compromise risks. Exposed secrets could include API tokens, cloud provider credentials, database passwords, or other authentication material stored in job configurations. Attackers with low-privilege Jenkins accounts or filesystem access can harvest these credentials for lateral movement, resource abuse, or access to downstream systems. In multi-tenant or shared Jenkins environments, this creates cross-project credential leakage scenarios. The impact is compounded in setups where Jenkins integrates with critical infrastructure, cloud deployments, or supply chain tooling.

Affected systems

Jenkins versions 2.567 and earlier are affected, as are Jenkins LTS versions 2.555.2 and earlier. All job configurations created or modified on affected versions may contain plaintext secrets if credentials were submitted via the web interface during configuration updates. Environments where multiple users share Jenkins access or where Jenkins controller filesystem is accessible to untrusted accounts face heightened risk.

Exploitability

The vulnerability is remotely exploitable without authentication in the sense that network access to Jenkins is required; however, practical exploitation requires one of two conditions: (1) a user account with Item/Extended Read permission to browse affected job configurations, or (2) direct access to the Jenkins controller filesystem. The attack surface is moderate in open Jenkins deployments but lower in restrictive environments with strong access controls. No active public exploits are documented, and the vulnerability is not tracked in CISA's Known Exploited Vulnerabilities catalog.

Remediation

Upgrade Jenkins to a patched version released after this advisory (verify current patch versions against the vendor advisory). For immediate mitigation on unpatched systems: (1) audit job configurations for plaintext secrets and rotate any exposed credentials in downstream systems; (2) restrict Item/Extended Read permission to trusted users only; (3) implement filesystem-level access controls to limit who can read Jenkins configuration directories; (4) consider encrypting the Jenkins controller filesystem or storing sensitive job configurations on separate, access-restricted storage.

Patch guidance

Jenkins has released patches addressing this vulnerability. Consult the official Jenkins security advisory for the specific patched versions and upgrade path for your deployment. LTS users should prioritize upgrading to the next available LTS release that includes the fix. Test patches in a non-production environment before production deployment to ensure compatibility with plugins and existing configurations.

Detection guidance

Review job config.xml files for plaintext credentials (API tokens, passwords, cloud keys) stored in credential or secret fields. Examine Jenkins web UI logs and audit trails for POST requests to job configuration endpoints, particularly from low-privilege accounts. Monitor filesystem access to Jenkins configuration directories via file integrity monitoring or filesystem audits. Compare currently stored job configurations against your credential management policy to identify deviations. In version control systems where Jenkins configurations are backed up or exported, scan historical versions for plaintext secrets.

Why prioritize this

Although the CVSS score is moderate (5.3), this vulnerability should be prioritized for patching because: (1) credential theft directly enables lateral movement and system compromise; (2) Jenkins is deeply integrated in CI/CD pipelines where exposed credentials have supply-chain implications; (3) in shared or multi-tenant Jenkins environments, cross-project credential leakage is likely; (4) the vulnerability affects all affected job configurations retroactively, creating a large exposure surface. Environments with sensitive downstream integrations (cloud providers, production databases, artifact repositories) should prioritize fastest patching.

Risk score, explained

The CVSS 3.1 score of 5.3 (MEDIUM) reflects low attack complexity and no authentication requirement for network access, but limited scope (secrets confined to individual jobs) and no integrity or availability impact. However, the practical severity is higher in credentials-heavy CI/CD environments where stolen secrets unlock further attacks. The score does not account for the criticality of secrets often stored in Jenkins job configs or supply-chain risk amplification.

Frequently asked questions

Why is this a network vulnerability if it requires filesystem access to Jenkins?

The CVSS vector treats network access (AV:N) as a condition met if the attack surface is reachable over the network—meaning an attacker can interact with Jenkins remotely. The vulnerability itself is that secrets are stored unencrypted; exposure occurs either through Jenkins' own permission model (Item/Extended Read) or through filesystem compromise. Both are plausible attack paths in a network-connected system.

Do I need to rotate credentials if I don't know which jobs contain secrets?

Yes. Assume any job configuration created or modified on an affected Jenkins version may contain plaintext secrets. Conduct a thorough audit of all job configurations, export them if safe, and scan for common credential patterns (API keys, passwords). Rotate credentials in downstream systems (cloud accounts, databases, repositories, etc.) as a precaution, especially for critical integrations. This is the safest approach in high-security environments.

If I use Jenkins Credentials Plugin with encrypted storage, am I protected?

The Jenkins Credentials Plugin encrypts credentials in its own storage, but this vulnerability affects secrets submitted via POST configuration updates that bypass or supplement the Credentials Plugin. Always verify that your job configurations use Jenkins' official Credentials Plugin mechanism rather than embedding secrets directly in job config fields. Review job configurations for plaintext credentials regardless of whether the Credentials Plugin is deployed.

What's the difference between this vulnerability and secrets in logs or console output?

This vulnerability specifically addresses plaintext secrets stored permanently in job config.xml files on disk. Logs and console output are separate concerns. A job can leak secrets both ways (in configuration files and in execution logs). Address both by: (1) patching this vulnerability, (2) implementing secrets masking in Jenkins pipeline execution, and (3) restricting access to logs and artifacts.

This analysis is provided for informational purposes and does not constitute professional security advice. Organizations should validate all findings, patch versions, and remediation steps against official vendor advisories and their own security policies. SEC.co does not guarantee the completeness or accuracy of third-party vendor information. Patch availability and timelines should be verified directly with Jenkins official security channels. For production environments, conduct testing before applying patches. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).