CVE-2026-10276 hekmon8 CVE debrief

Who should care

Organizations running Jenkins-server-mcp 0.1.0, particularly those exposing the service to remote users or integrating it with sensitive internal infrastructure. Security teams should prioritize this if the deployment has access to internal services or cloud metadata endpoints.

Technical summary

The `jobPath` function in `src/index.ts` of Jenkins-server-mcp 0.1.0 fails to properly validate user-controlled input when constructing requests for build status, build logs, and build triggers. This allows an attacker to manipulate the request target, causing the server to issue requests to attacker-specified destinations. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) and has been publicly disclosed with available exploit information.

Defensive priority

LOW

Recommended defensive actions

• Review and restrict outbound network connectivity from Jenkins-server-mcp deployments to only necessary endpoints
• Validate and sanitize all user-supplied input passed to the jobPath function, particularly URL or path components
• Implement allowlist-based URL validation for any server-side requests initiated by the application
• Monitor for an official patch from the project maintainer; consider temporary network segmentation until a fix is available
• Review application logs for anomalous outbound requests that may indicate SSRF exploitation attempts

Evidence notes

The vulnerability was reported through VulDB (submission 825412) and assigned CVE-2026-10276. The NVD entry shows a 'Received' status with references to the GitHub repository, an open issue report, and VulDB analysis pages. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges (PR:L in vector), and no user interaction, with partial impacts on confidentiality, integrity, and availability. The CWE classification is CWE-918 (Server-Side Request Forgery).

Official resources