Critical Jenkins Vulnerability Exposes Build Environments to XSS Attacks
A newly published Jenkins security advisory has confirmed multiple vulnerabilities in Jenkins Core, including a high-impact stored Cross-Site Scripting (XSS) flaw that could allow attackers to compromise CI/CD build environments.
A newly published Jenkins security advisory has confirmed multiple vulnerabilities in Jenkins Core, including a high-impact stored Cross-Site Scripting (XSS) flaw that could allow attackers to compromise CI/CD build environments.
The vulnerabilities, tracked as CVE-2026-27099 and CVE-2026-27100, were responsibly disclosed through the Jenkins Bug Bounty Program, which is sponsored by the European Commission.
CVE-2026-27099: Stored XSS in Node Offline Descriptions
The most severe issue, CVE-2026-27099, is rated high severity and affects Jenkins versions 2.550 and earlier, along with LTS 2.541.1 and earlier.
The root cause lies in how Jenkins processes offline cause descriptions, which are used to explain why a build agent or node has been taken offline.
Starting from Jenkins version 2.483, these descriptions began supporting HTML content. However, in vulnerable releases, this input was not properly escaped before being rendered in the UI.
An attacker with Agent/Configure or Agent/Disconnect permissions could inject malicious JavaScript into the offline cause description. When viewed by other users, the injected payload could execute in their browser, enabling session hijacking, credential theft, or further lateral movement within the Jenkins environment.
Jenkins versions 2.551 and LTS 2.541.2 fully address this issue by correctly escaping user-supplied input.
It is also worth noting that Jenkins instances running version 2.539 or newer with Content Security Policy (CSP) enforcement enabled gain partial protection, limiting the exploitability of this vulnerability.
CVE-2026-27100: Build Information Disclosure via Run Parameters
The second issue, CVE-2026-27100, carries a medium severity rating and impacts the handling of Run Parameter values in Jenkins.
In affected versions up to 2.550 and LTS 2.541.1, users could supply Run Parameter values referencing jobs or builds they were not authorized to access. While direct access was still restricted, attackers could infer whether certain jobs or builds existed, leading to unintended information disclosure.
This type of metadata leakage can be valuable during reconnaissance, especially in large Jenkins environments where job names often reveal internal project structures.
Jenkins 2.551 and LTS 2.541.2 now properly validate and reject unauthorized Run Parameter values, closing this information leak.
Affected Versions Overview
| CVE ID | Severity | Description | Affected Versions |
|---|---|---|---|
| CVE-2026-27099 | High | Stored XSS via node offline cause description | Jenkins ≤ 2.550, LTS ≤ 2.541.1 |
| CVE-2026-27100 | Medium | Build information disclosure via Run Parameter | Jenkins ≤ 2.550, LTS ≤ 2.541.1 |
Mitigation and Recommendations
Jenkins administrators are strongly advised to upgrade immediately to Jenkins 2.551 or LTS 2.541.2. Environments running older versions remain exposed to stored XSS attacks and unauthorized disclosure of build metadata.
Given Jenkins’ central role in CI/CD pipelines, exploitation of these flaws could have cascading security consequences across development and production workflows.
