PatchSiren cyber security CVE debrief
CVE-2026-48919 Jenkins Project CVE debrief
The Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation, creating a deserialization of untrusted data vulnerability (CWE-502). This flaw could allow an attacker with administrative privileges to execute arbitrary code through malicious LDAP referral responses. The vulnerability was disclosed in the Jenkins security advisory dated 2026-05-27. The CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) indicates network attack vector with high attack complexity, requiring high privileges, but with high impact across confidentiality, integrity, and availability if exploited. No known exploitation in the wild has been reported, and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Jenkins Project
- Product
- Jenkins Active Directory Plugin
- CVSS
- MEDIUM 6.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Jenkins with Active Directory Plugin 2.41 or earlier for authentication, particularly those with complex Active Directory forests where LDAP referrals are common. Security teams managing CI/CD infrastructure and identity federation architectures should prioritize this for patching. Infrastructure teams responsible for Jenkins controller hardening and LDAP integration configuration should review referral handling settings. Compliance teams tracking deserialization vulnerabilities in Java applications and supply chain security for build automation platforms should include this in vulnerability management workflows.
Technical summary
The Jenkins Active Directory Plugin implements LDAP authentication with support for LDAP referrals. Versions 2.41 and earlier fail to validate deserialized data received from LDAP referral responses, permitting deserialization of attacker-controlled objects. This represents a classic insecure deserialization vulnerability (CWE-502) where malicious serialized Java objects in LDAP referral data could instantiate arbitrary classes on the Jenkins controller. The attack requires high privileges (administrative access to configure or influence LDAP connectivity) and high attack complexity due to the need to control or manipulate LDAP referral responses. Successful exploitation could result in complete compromise of the Jenkins controller with high impacts to confidentiality, integrity, and availability.
Defensive priority
medium
Recommended defensive actions
- Upgrade Jenkins Active Directory Plugin to a version newer than 2.41 when available per the Jenkins security advisory.
- Review LDAP server configurations and ensure referral chasing is disabled or restricted if not required for authentication flows.
- Monitor Jenkins controller logs for unusual LDAP referral activity or deserialization errors.
- Apply network segmentation controls to limit Jenkins controller exposure to untrusted LDAP infrastructure.
- Validate that Jenkins administrative access requires multi-factor authentication to reduce risk from credential compromise.
Evidence notes
Vulnerability description and CVSS vector sourced from NVD record. Jenkins security advisory reference confirms vendor disclosure. CWE-502 classification provided in NVD weaknesses field. No KEV entry present.
Official resources
-
CVE-2026-48919 CVE record
CVE.org
-
CVE-2026-48919 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27