CVE-2026-48917 Jenkins Project CVE debrief

Who should care

Organizations running Jenkins with LDAP authentication enabled, particularly those using LDAP referral functionality. Security teams managing CI/CD infrastructure and identity federation configurations.

Technical summary

The Jenkins LDAP Plugin versions 807.v7d7de30930cf and earlier contain a deserialization vulnerability in how LDAP referral data is processed. When the plugin receives LDAP referral responses, it deserializes the data without proper validation, potentially allowing remote code execution. The attack requires high privileges (PR:H) and high attack complexity (AC:H), but successful exploitation could result in complete confidentiality, integrity, and availability compromise (C:H/I:H/A:H). The vulnerability is network-accessible (AV:N) with no user interaction required.

Defensive priority

medium

Recommended defensive actions

• Upgrade Jenkins LDAP Plugin to a version newer than 807.v7d7de30930cf when available
• Monitor Jenkins security advisory for patch release
• Review LDAP server configurations for unauthorized referral sources
• Apply principle of least privilege to Jenkins service accounts
• Enable network segmentation between Jenkins controllers and LDAP infrastructure
• Review Jenkins plugin inventory for other plugins with similar deserialization patterns

Evidence notes

Vulnerability confirmed via Jenkins security advisory SECURITY-3654. CVSS 3.1 vector: AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H. CWE-502 (Deserialization of Untrusted Data) identified as root cause.

Official resources