PatchSiren cyber security CVE debrief
CVE-2026-48918 Jenkins Project CVE debrief
The Jenkins Active Directory Plugin versions 2.41 and earlier follow LDAP referrals by default, which may allow authentication requests to be redirected to unintended directory servers. This behavior could potentially enable Server-Side Request Forgery (SSRF) or credential disclosure scenarios if an attacker can influence referral targets in a compromised or maliciously configured Active Directory environment. The vulnerability is classified as CWE-918 (Server-Side Request Forgery). The issue was disclosed in the Jenkins security advisory dated May 27, 2026.
- Vendor
- Jenkins Project
- Product
- Jenkins Active Directory Plugin
- CVSS
- MEDIUM 6.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Jenkins with Active Directory Plugin version 2.41 or earlier for authentication, particularly those with complex multi-domain Active Directory forests or untrusted LDAP environments. Security teams responsible for CI/CD infrastructure hardening and identity federation architectures.
Technical summary
The Jenkins Active Directory Plugin versions 2.41 and earlier enable LDAP referral following by default. When a Jenkins controller queries an Active Directory or LDAP server, the server may return referrals pointing to alternative directory servers. The plugin's default behavior of following these referrals can cause the Jenkins controller to initiate connections to servers outside the intended authentication infrastructure. This creates potential for Server-Side Request Forgery (SSRF) if an attacker can manipulate referral responses, or credential disclosure if referrals direct authentication attempts to attacker-controlled endpoints. The vulnerability requires high privileges and high attack complexity to exploit, with network-based attack vector.
Defensive priority
medium
Recommended defensive actions
- Upgrade Jenkins Active Directory Plugin to a version newer than 2.41 when available
- Review LDAP referral handling configuration in Jenkins Active Directory Plugin settings
- Audit network egress from Jenkins controllers to unexpected LDAP server destinations
- Monitor authentication logs for anomalous referral patterns or unexpected directory server connections
- Apply principle of least privilege for Jenkins service accounts used for Active Directory binding
Evidence notes
The vulnerability description and affected versions are sourced from the official Jenkins security advisory. The CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) indicates network attack vector with high attack complexity and high privileges required, resulting in a medium severity score of 6.6. The weakness is identified as CWE-918 (SSRF).
Official resources
-
CVE-2026-48918 CVE record
CVE.org
-
CVE-2026-48918 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27