CVE-2026-48923 Jenkins Project CVE debrief

Who should care

Jenkins administrators operating instances with the AppSpider Plugin installed, security teams managing CI/CD infrastructure, and organizations using Jenkins for application security testing workflows

Technical summary

The Jenkins AppSpider Plugin implements form validation functionality that fails to verify appropriate permissions before executing. An attacker possessing only Overall/Read permission—typically granted to basic authenticated users—can manipulate form validation requests to cause the Jenkins server to initiate connections to arbitrary URLs specified by the attacker. This represents an SSRF vulnerability where the trusted Jenkins server becomes a proxy for attacker-directed network requests. The vulnerability exists in the plugin's form validation method implementation, which should enforce Item/Configure or equivalent administrative permissions but instead permits low-privileged access.

Defensive priority

medium

Recommended defensive actions

• Upgrade Jenkins AppSpider Plugin to a version newer than 1.0.17 when available
• Review Jenkins audit logs for suspicious URL connection attempts from users with Overall/Read permission
• Implement network segmentation to restrict Jenkins server outbound connectivity
• Apply principle of least privilege by auditing and minimizing Overall/Read permission assignments
• Monitor for plugin updates through Jenkins Update Center and subscribe to Jenkins security advisories

Evidence notes

Vulnerability confirmed through official Jenkins security advisory (SECURITY-3671) and NVD entry. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. Affected versions explicitly stated as 1.0.17 and earlier.

Official resources