MDR
Solutions
Partners
About
Resources
Affected Environment
Jenkins weekly versions 2.483–2.550 and LTS 2.492.1–2.541.1, particularly multi-user or externally accessible CI/CD environments.
Threat Overview
Stored XSS (CVE-2026-27099) and build metadata disclosure (CVE-2026-27100) allow script injection or inference of internal job details.
Exposure Timeline
Disclosed in the February 2026 Jenkins advisory; impacts supported weekly and LTS releases prior to patched versions.
Attack Surface
Jenkins web interface, specifically the “Mark temporarily offline” description field and Run Parameter submission functionality.
Technical Root Cause
Failure to escape user input enables stored XSS; inadequate validation of Run Parameters permits internal job and build enumeration.
Exploitation Pathway
Users with Agent or Item permissions inject malicious scripts or manipulate parameters to trigger XSS or disclose metadata.
Operational Impact
Stored XSS (CVSS 8.0) risks session hijacking and admin abuse; disclosure flaw (CVSS 4.3) supports reconnaissance of CI/CD pipelines.
Required Mitigation
Upgrade weekly to 2.551 and LTS to 2.541.2; enforce least privilege for Agent and Item permissions.
Incident Response Guidance
Audit logs for suspicious UI activity, isolate affected instances, rotate credentials, invalidate sessions, and review pipelines for tampering.
References
Jenkins Security Advisory (18 Feb 2026)
https://www.jenkins.io/security/advisory/2026-02-18/
Trusted by clients worldwide
Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.
.jpg)