PatchSiren cyber security CVE debrief
CVE-2026-48920 Jenkins Project CVE debrief
Jenkins Email Extension Plugin 1933.v45cec755423f and earlier contains a path traversal vulnerability (CWE-73) that allows attackers with control over email content to read arbitrary files from the Jenkins controller filesystem. The plugin permits inlining images as base64 via the `data-inline` attribute without restricting the image URLs that can be inlined, enabling attackers to specify `file:` URLs to access sensitive files. This vulnerability was published on 2026-05-27 and carries a HIGH severity CVSS 3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The Jenkins security team assigned this issue identifier SECURITY-3705. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Jenkins Project
- Product
- Jenkins Email Extension Plugin
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Jenkins instances with Email Extension Plugin version 1933.v45cec755423f or earlier should prioritize patching. Security teams managing CI/CD infrastructure, Jenkins administrators, and DevOps engineers responsible for email notification configurations are directly affected. Organizations with strict data residency or confidentiality requirements should assess potential file exposure risk.
Technical summary
The Jenkins Email Extension Plugin implements a feature allowing users to inline images as base64 data by setting a `data-inline` attribute. The implementation fails to validate or restrict the source URLs for these images, permitting `file:` protocol URLs. An attacker with the ability to control email content (such as through job configurations or template modifications) can craft malicious image references that use `file://` URLs pointing to sensitive files on the Jenkins controller filesystem. When the email is processed, the plugin reads the specified file and inlines it as base64 content, effectively exposing arbitrary file contents to the attacker. This represents an external control of file name or path weakness (CWE-73) with network attack vector, low attack complexity, and low privileges required.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Jenkins Email Extension Plugin to a version newer than 1933.v45cec755423f as specified in the Jenkins security advisory
- Review email content configurations and restrict who can control email template content
- Audit Jenkins controller filesystem access logs for suspicious file access patterns
- Implement network segmentation to limit Jenkins controller exposure
- Monitor for unusual base64-encoded image inclusions in email configurations
Evidence notes
The vulnerability description is sourced from the official CVE record and Jenkins security advisory. The CVSS vector and score are confirmed by NVD data. The vendor identification as Jenkins is supported by reference domain evidence and the security advisory source.
Official resources
-
CVE-2026-48920 CVE record
CVE.org
-
CVE-2026-48920 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
The vulnerability was disclosed on 2026-05-27 via the Jenkins security advisory process. The CVE record was published at 2026-05-27T15:16:31.647Z and last modified at 2026-05-27T19:54:54.150Z.