PatchSiren cyber security CVE debrief
CVE-2026-53442 Jenkins Project CVE debrief
CVE-2026-53442 is a medium-severity vulnerability affecting Jenkins versions 2.567 and earlier, as well as LTS versions 2.555.2 and earlier. The vulnerability causes Jenkins to store secrets from POST config.xml submissions in an unencrypted format in job config.xml files on the Jenkins controller. This allows users with Item/Extended Read permission or access to the Jenkins controller file system to view these secrets.
- Vendor
- Jenkins Project
- Product
- Jenkins
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-12
Who should care
Users of Jenkins versions 2.567 and earlier, LTS versions 2.555.2 and earlier, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 5.3 and a CVSS severity of MEDIUM. It was published on June 10, 2026, and modified on June 12, 2026. The vulnerability is classified under CWE-311, which refers to the Cleartext Storage of Sensitive Information.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to Jenkins version 2.568 or later, or LTS version 2.555.3 or later.
- Restrict access to job configurations to prevent unauthorized users from viewing secrets.
- Use encryption to protect sensitive data in job configurations.
Evidence notes
The vulnerability was reported by Jenkins and documented in their security advisory [ref-4].
Official resources
-
CVE-2026-53442 CVE record
CVE.org
-
CVE-2026-53442 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2026-53442 was published on 2026-06-10T14:16:37.180Z and modified on 2026-06-12T00:59:52.957Z.