Build authorization token exported in plaintext by CloudBees CasC Items API Plugin
BEE-71412
Severity (CVSS): Medium
Description:
Since CloudBees CI 2.528.3.35200, Jenkins 2.541, LTS 2.528.3, build authorization tokens are masked on the configuration form and stored encrypted.
CloudBees CasC Items API 2.5517 and earlier exports build authorization tokens unencrypted in items.yaml output. This increases the potential for attackers to observe and capture them.
CloudBees CasC Items API Plugin 2.5523 exports the encrypted values of build authorization tokens.
Since CloudBees CI 2.528.3.35200, build authorization tokens can be specified encrypted or as plaintext in items.yaml files. Only the export is affected by this issue.
Encrypted secrets like build authorization tokens use controller-specific encryption keys and cannot be shared across controllers.
Deserialization vulnerability
SECURITY-3707 / CVE-2026-53435
Severity (CVSS): High
Description:
Jenkins uses serialization and deserialization in multiple places, like agent/controller communication (the Remoting library) and to load and save configuration and build data (using XStream). To protect from common deserialization vulnerabilities, Jenkins uses a custom deserialization filter that only allows deserialization of types defined in Jenkins core or plugins, or explicitly allowed types (JEP-200). These vulnerabilities generally rely on behavior defined in #readResolve methods that are executed during deserialization.
Jenkins uses the Stapler web framework for HTTP request handling. Stapler’s basic premise is that it uses reflective access to code elements matching its naming conventions. Since 2018, Jenkins limits request routing to only types defined in Jenkins core or plugins, and can only access fields and methods that have (return) types, parameters, or annotations related to HTTP request handling.
In CloudBees CI 2.555.2.36756 and earlier, Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled config.xml submission in a way that allows them to handle HTTP requests afterwards. To do this, attackers need to have Overall/Read permission, and at least one of the following:
a user account (i.e., cannot be anonymous)
any set of permissions allowing them to
POST config.xml(e.g., Item/Configure, View/Configure, Agent/Configure).
This vulnerability can be exploited in multiple ways:
Attackers can impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code.
Attackers can read arbitrary files from the Jenkins controller (see Reading Files).
There are likely other ways to exploit this vulnerability, and the above list is not exhaustive.
CloudBees CI 2.555.3.36983 restricts the types allowed in the affected deserialization to expected types.
Open redirect vulnerability
SECURITY-3711+3755 / CVE-2026-53436 (leading period), CVE-2026-53437 (tab or newline characters)
Severity (CVSS): Medium
Description:
CloudBees CI 2.555.2.36756 and earlier, Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines whether a URL is safe to redirect to in the default login flow:
A URL containing relative path segments (
./or../) is validated before the servlet container collapses those segments into a protocol-relative URL starting with//, which browsers interpret as a scheme-relative URL, allowing redirection to an attacker-controlled domain (SECURITY-3711 / CVE-2026-53436).Tab or newline characters are not ignored when checking for the presence of
//at the start of the URL, allowing redirection to an attacker-controlled domain by including a tab or newline between//(SECURITY-3755 / CVE-2026-53437).
CloudBees CI 2.555.3.36983 strips tab and newline characters before validation and rejects URLs containing // anywhere.
Missing permission check allows canceling queue items
SECURITY-3712 / CVE-2026-53438
Severity (CVSS): Medium
Description:
CloudBees CI 2.555.2.36756 and earlier, Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not perform an Item/Read permission check in an HTTP endpoint.
This allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view.
This is due to an incomplete fix of SECURITY-2278 in the 2021-06-30 security advisory.
CloudBees CI 2.555.3.36983 performs an Item/Read permission check in the affected endpoint.
Missing permission checks allow obtaining limited user profile information
SECURITY-3713 / CVE-2026-53439
Severity (CVSS): Medium
Description:
CloudBees CI 2.555.2.36756 and earlier, Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not perform permission checks in HTTP endpoints.
This allows attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views".
CloudBees CI 2.555.3.36983 performs permission checks in the affected endpoints.
Open redirect vulnerability in "Delegate to servlet container" security realm
SECURITY-3721 / CVE-2026-53440
Severity (CVSS): Medium
Description:
CloudBees CI 2.555.2.36756 and earlier, Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login.
This allows attackers to perform phishing attacks by redirecting users to an attacker-controlled domain.
CloudBees CI 2.555.3.36983 ensures that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login.
Stored XSS vulnerability in node offline cause description
SECURITY-3731 / CVE-2026-53441
Severity (CVSS): High
Description:
Since CloudBees CI 2.479.1.3 and Jenkins 2.483 the description of the reason why a node is offline (the "offline cause") is defined as containing HTML and rendered as such.
CloudBees CI 2.555.2.36756 and earlier, Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not escape the user-provided description of a generic offline cause that could be set through the POST config.xml API.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
CloudBees CI 2.555.3.36983 redefines all offline cause descriptions rendered through the default UI as plain text.
On CloudBees CI 2.541.1.35570 and newer, enforcing Content Security Policy protection mitigates this vulnerability.
This vulnerability is due to an incomplete fix of SECURITY-3669 in the 2026-02-18 security advisory.
Plaintext secrets persisted and served by config.xml endpoints
SECURITY-3744 / CVE-2026-53442
Severity (CVSS): Medium
Description:
In CloudBees CI 2.555.2.36756 and earlier, Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, POST config.xml submissions are written to disk as-is once their content can be successfully deserialized, while GET config.xml responses are served directly from those files. As a result, plaintext secrets in a POST config.xml submission persist on disk and reappear in subsequent GET config.xml responses, exposing them to users with Item/Extended Read permission.
CloudBees CI 2.555.3.36983 first confirms that the POST config.xml submission can be loaded successfully, then serializes the item to disk, so that secrets are encrypted.