PatchSiren cyber security CVE debrief
CVE-2026-53438 Jenkins Project CVE debrief
CVE-2026-53438 is a medium-severity vulnerability in Jenkins that allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view. This issue affects Jenkins 2.567 and earlier, as well as LTS 2.555.2 and earlier.
- Vendor
- Jenkins Project
- Product
- Jenkins
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Administrators of Jenkins instances, particularly those with untrusted users or where users have limited permissions.
Technical summary
The vulnerability is caused by a missing permission check in Jenkins. Specifically, attackers with Item/Cancel permission, but not Item/Read permission, can cancel queue items they are not authorized to view. This issue has been assigned a CVSS score of 4.3, indicating a medium severity.
Defensive priority
Medium
Recommended defensive actions
- Update Jenkins to version 2.568 or later, or LTS 2.555.3 or later.
- Restrict Item/Cancel permissions to trusted users.
- Monitor Jenkins instance for unauthorized queue item cancellations.
Evidence notes
CVE-2026-53438 was published on [cvePublishedAt] and modified on [cveModifiedAt]. The vulnerability is described in the CVE record [resourceLinkAnnotations:cve-org] and detailed in the NVD entry [resourceLinkAnnotations:nvd]. The vendor advisory can be found at [resourceLinkAnnotations:ref-4].
Official resources
-
CVE-2026-53438 CVE record
CVE.org
-
CVE-2026-53438 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-53438 was published on 2026-06-10T14:16:36.793Z and modified on 2026-06-11T13:21:45.927Z.