2026: The Agentic Era of Software Delivery - Watch the webinar →

CloudBees Security Advisory 2026-02-18

This advisory announces vulnerabilities in CloudBees CI and Jenkins

Exposure of system-scoped CyberArk credentials in CloudBees CyberArk Credentials Provider Plugin

BEE-64873
Severity (CVSS): Medium
Description:

CloudBees CyberArk Credentials Provider Plugin 355 and earlier does not properly enforce credential scope restrictions when CyberArk credentials are retrieved from job or pipeline contexts.

SYSTEM-scoped CyberArk credentials, which are intended to be accessible only from the Jenkins controller root context (e.g., for system configuration or plugin internals), can be accessed by jobs, pipelines, and folder-scoped contexts. This allows attackers with Item/Configure permission to use CyberArk credentials that were intended to be restricted to system-level operations only.

CloudBees CyberArk Credentials Provider Plugin 377 properly filters SYSTEM-scoped CyberArk credentials based on the requesting context, ensuring they are only accessible from the Jenkins root context.

Stored XSS vulnerability in node offline cause description

SECURITY-3669 / CVE-2026-27099
Severity (CVSS): High
Description:

Since Jenkins 2.483, the description of the reason why a node is offline (the "offline cause") is defined as containing HTML and rendered as such.

CloudBees CI 2.541.1.35570 and earlier, Jenkins 2.550 and earlier, LTS 2.541.1 and earlier does not escape the user-provided description of the "Mark temporarily offline" offline cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.

CloudBees CI 2.541.2.35785, Jenkins 2.551, LTS 2.541.2 escapes the user-provided description of the "Mark temporarily offline" offline cause.

On Jenkins 2.539 and newer, including LTS 2.541.1 and CloudBees CI 2.541.1.35570, enforcing Content Security Policy protection mitigates this vulnerability.

Build information disclosure vulnerability through Run Parameter

SECURITY-3658 / CVE-2026-27100
Severity (CVSS): Medium
Description:

CloudBees CI 2.541.1.35570 and earlier, Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to. This allows attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.

CloudBees CI 2.541.2.35785, Jenkins 2.551, LTS 2.541.2 rejects Run Parameter values that refer to builds the user submitting the build does not have access to (either because they do not exist, or because the user does not have permission to access them).

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.541.2.35785

  • CloudBees Cloud Platforms should be upgraded to 2.541.2.35785

Credit

  • Muhammed Niazy (Wolfman) for SECURITY-3669

  • Suman Roy (https://sumanroy.in) for SECURITY-3658

More Security Advisories

Continuously redefine what’s possible through software

© 2026 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders.
Terms of Service