PatchSiren cyber security CVE debrief

CVE-2026-9674 Jenkins Project CVE debrief

A cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds. The vulnerability was published on 2026-05-27 and carries a CVSS 3.1 score of 4.3 (MEDIUM severity). The attack vector is network-based with low attack complexity, requiring no privileges but user interaction. The vulnerability affects confidentiality (none), integrity (low), and availability (none). The weakness is categorized as CWE-352 (Cross-Site Request Forgery). The Jenkins security advisory provides the authoritative technical details and remediation guidance.

Vendor: Jenkins Project
Product: Jenkins Multijob Plugin
CVSS: MEDIUM 4.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Organizations using Jenkins with the Multijob Plugin for CI/CD pipelines, particularly those with automated build processes and multiple job orchestrations. Security teams responsible for securing build infrastructure and developers managing Jenkins configurations should prioritize this patch.

Technical summary

The Jenkins Multijob Plugin versions 662.vd2e0001f6b_b_d and earlier fail to properly validate cross-site request forgery tokens when processing requests to resume failed Multijob builds. An attacker can craft a malicious request that, when executed by an authenticated Jenkins user, triggers the resume action without the user's explicit intent. The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N indicates network attack vector, low complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, low integrity impact, and no availability impact. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery).

Defensive priority

medium

Recommended defensive actions

Upgrade Jenkins Multijob Plugin to a version newer than 662.vd2e0001f6b_b_d per the Jenkins security advisory
Review Jenkins CSRF protection settings and ensure they are enabled
Audit Multijob build configurations for unauthorized resume actions
Monitor Jenkins access logs for suspicious build resume requests
Apply principle of least privilege to Jenkins user accounts
Consider implementing additional network segmentation for Jenkins instances

Evidence notes

CVE description and CVSS vector from NVD official record. Jenkins security advisory cited as primary technical source. CWE-352 classification confirmed via NVD weakness data.

Official resources

2026-05-27