CVE-2026-48925 Jenkins Project CVE debrief

Who should care

Jenkins administrators using GitHub Integration Plugin for pull request builds; DevSecOps teams managing CI/CD pipeline security; organizations with automated build triggers from GitHub webhooks

Technical summary

The Jenkins GitHub Integration Plugin versions 0.7.3 and earlier fail to implement adequate CSRF protections on endpoints responsible for triggering builds from pull request events. An attacker can craft malicious web content that, when rendered in a victim's browser with an active Jenkins session, submits unauthorized requests to initiate builds. This could lead to resource exhaustion, exposure of build artifacts, or execution of untrusted code in the CI environment depending on pipeline configuration. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, low integrity impact, and no availability impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade Jenkins GitHub Integration Plugin to a version newer than 0.7.3 per the Jenkins security advisory
• Review Jenkins CSRF protection settings and ensure they are enabled globally
• Audit Jenkins job configurations for unauthorized build triggers
• Monitor Jenkins build logs for unexpected pull request build initiations
• Apply principle of least privilege to Jenkins API tokens and credentials used for GitHub integration

Evidence notes

Official Jenkins security advisory confirms affected versions (0.7.3 and earlier) and vulnerability class (CSRF). NVD record corroborates CVSS vector and CWE-352 classification. No KEV listing present.

Official resources