@nahamsec found a test Jenkins instance where they could login with any valid Google account.
Once logged in, they gained the ability to execute arbitrary code via the Jenkins Script Console. This was a test jenkins instance with no access to source code or resources.
Here is the Methodology used to find this bug: https://www.hackerone.com/blog/how-to-recon-and-content-discovery
If I get a chance, I may release all details on in a dedicated blogpost.