CVE-2026-48926 Jenkins Project CVE debrief

Who should care

Jenkins administrators, DevOps engineers, and security teams managing CI/CD infrastructure with Job Import Plugin deployments

Technical summary

The Jenkins Job Import Plugin fails to perform permission checks on an HTTP endpoint, enabling attackers with only Overall/Read permission to enumerate credentials IDs. This exposes sensitive credential identifiers without requiring higher privileges, facilitating potential credential-based attacks. The vulnerability affects versions 143.v044a_2e819b_27 and earlier.

Defensive priority

medium

Recommended defensive actions

• Review Jenkins Job Import Plugin installations and upgrade to a version newer than 143.v044a_2e819b_27
• Audit Jenkins credential store access logs for unauthorized enumeration attempts
• Verify that Jenkins users with Overall/Read permission have legitimate business need for that access level
• Apply principle of least privilege by restricting Overall/Read permission to necessary personnel only
• Monitor for plugin updates addressing SECURITY-3783 in Jenkins update center

Evidence notes

Vulnerability confirmed via official Jenkins security advisory (SECURITY-3783). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. CWE-269 (Improper Privilege Management) identified.

Official resources