CVE-2026-27100

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:jenkins:jenkins:::::lts:::*
	cpe:2.3:a:jenkins:jenkins:::::-:::*

History

No history.

Information

Published : 2026-02-18 15:18

Updated : 2026-02-20 20:53

NVD link : CVE-2026-27100

Mitre link : CVE-2026-27100

CVE.ORG link : CVE-2026-27100

JSON object : View

Products Affected

jenkins

jenkins

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2026-27100", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-02-18T15:18:43.967", "references": [{"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658", "tags": ["Vendor Advisory"], "source": "jenkinsci-cert@googlegroups.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name."}, {"lang": "es", "value": "Jenkins 2.550 y anteriores, LTS 2.541.1 y anteriores acepta valores de par\u00e1metros de ejecuci\u00f3n que hacen referencia a compilaciones a las que el usuario que env\u00eda la compilaci\u00f3n no tiene acceso, permitiendo a atacantes con permiso de Elemento/Compilaci\u00f3n y Elemento/Configurar obtener informaci\u00f3n sobre la existencia de trabajos, la existencia de compilaciones, y si una compilaci\u00f3n especificada existe, su nombre de visualizaci\u00f3n."}], "lastModified": "2026-02-20T20:53:16.173", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "1BA732A2-5EA7-4C70-AF40-4E696689C4F7", "versionEndExcluding": "2.541.2"}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "2D2F2C2E-E436-4367-B067-C8E6CE7ECBD8", "versionEndExcluding": "2.551"}], "operator": "OR"}]}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com"}