Critical Jenkins Vulnerabilities Expose Build Environments to XSS Attacks
Recent security advisories have unveiled multiple vulnerabilities within Jenkins Core, notably a high-severity stored Cross-Site Scripting (XSS) flaw, posing significant risks to build environments. These vulnerabilities, identified as CVE-2026-27099 and CVE-2026-27100, were responsibly disclosed through the Jenkins Bug Bounty Program, sponsored by the European Commission.
CVE-2026-27099: Stored XSS in Node Offline Cause Description
The most critical of these vulnerabilities, CVE-2026-27099, affects Jenkins versions 2.550 and earlier, as well as Long-Term Support (LTS) versions 2.541.1 and earlier. This flaw originates from the handling of offline cause descriptions, which explain why a build node goes offline. Since version 2.483, Jenkins allowed HTML content in these descriptions; however, in vulnerable versions, the input wasn’t properly escaped.
Impact and Exploitation
An attacker with Agent/Configure or Agent/Disconnect permissions could inject malicious JavaScript into the offline cause description. This injection could compromise other users’ sessions, leading to unauthorized actions or data exposure within the Jenkins environment.
CVE-2026-27100: Build Information Disclosure via Run Parameter
The second vulnerability, CVE-2026-27100, rated medium severity, affects how Jenkins handles Run Parameter values. In versions up to 2.550 (and LTS 2.541.1), users could query builds or jobs they didn’t have permission to access. This flaw allowed attackers to determine the existence of specific projects or builds, potentially leading to unauthorized information disclosure.
Mitigation Measures
Jenkins versions 2.551 and LTS 2.541.2 address these issues by escaping user-supplied input and properly rejecting unauthorized Run Parameter values. Additionally, instances using Content Security Policy (CSP) enforcement on Jenkins 2.539 and newer are partially protected against these attacks.
Recommendations for Administrators
Jenkins administrators are strongly advised to update to the latest versions—2.551 or LTS 2.541.2—to mitigate both vulnerabilities. Builds relying on older versions remain at risk of script injection and unauthorized exposure of build information.
