CVE-2026-48926

Jenkins Job Import Plugin 143.v044a_2e819b_27 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

medium 4.3 CVSS 3.1
Published: May 27, 2026
Modified: Jun 2, 2026
Vendor: Jenkins
Product: Job Import
Versions: 143.v044a_2e819b_27

Description

Jenkins Job Import Plugin 143.v044a_2e819b_27 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

References

Related CVEs

CVE-2026-48916 medium · 6.6
Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals.
CVE-2026-48917 medium · 6.6
Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation.