CVE-2026-27100

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds,...

CVE-2025-53652

Summary (CVE-2025-53652) : Jenkins Git Parameter Plugin (versions 439.vb_0e46ca_14534 and earlier) does not validate that the submitted Git parameter matches an offered choice. With Item/Build permission, an attacker can inject arbitrary values into Git parameters, which can propagate to the SCM ...

jenkins-plugin/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines

A flaw was found in the Jenkins Pipeline: Groovy Plugin jenkins-plugin/workflow-cps. This vulnerability allows attackers with Item/Build permission to rebuild a previous build whose main Jenkinsfile script is no longer approved, bypassing script approval checks via the rebuild action...

jenkins-plugin/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines

A flaw was found in the Jenkins Pipeline: Groovy Plugin jenkins-plugin/workflow-cps. This vulnerability allows attackers with Item/Build permission to rebuild a previous build whose main Jenkinsfile script is no longer approved, bypassing script approval checks via the rebuild action...

CVE-2024-52551

Jenkins Pipeline: Declarative Plugin 2.2214.vbb34b2ea9b83 and earlier does not check whether the main Jenkinsfile script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to restart a previous build whose Jenkinsfile script is no longer...

CVE-2024-52550

Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main Jenkinsfile script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose Jenkinsfile script is no longer approv...

PT-2024-35373 · Jenkins · Jenkins Pipeline: Declarative Plugin

Name of the Vulnerable Software and Affected Versions: Jenkins Pipeline: Declarative Plugin versions 2.2214.vb b 34b 2ea 9b 83 and earlier Description: The issue allows attackers with Item/Build permission to restart a previous build whose Jenkinsfile script is no longer approved, as the plugin...

SUSE CVE-2017-1000108

The Pipeline: Input Step Plugin by default allowed users with Item/Read access to a pipeline to interact with the step to provide input. This has been changed, and now requires users to have the Item/Build permission instead...

Missing permission check in Jenkins CloudBees CD Plugin allows scheduling builds

Jenkins CloudBees CD Plugin does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. Jenkins CloudBees CD Plugin requires Item/Build permission to schedule builds via its HTTP...

GHSA-7RX6-4VWV-432G Missing permission check in Jenkins CloudBees CD Plugin allows scheduling builds

Jenkins CloudBees CD Plugin does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. Jenkins CloudBees CD Plugin requires Item/Build permission to schedule builds via its HTTP...

Jenkins Pipeline: Input Step Plugin

The Pipeline: Input Step Plugin by default allowed users with Item/Read access to a pipeline to interact with the step to provide input. This has been changed, and now requires users to have the Item/Build permission instead...

GHSA-HRWC-PQFM-G6QF Jenkins Subversion Plugin Cross-Site Request Forgery vulnerability

Subversion Plugin connects to a user-specified Subversion repository as part of form validation e.g. to retrieve a list of tags. This functionality improperly checked permissions, allowing any user with Item/Build permission but not Item/Configure to connect to any web server or Subversion server...

CVE-2021-21647

Jenkins CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build permission...

PT-2021-14690 · Cloudbees +1 · Jenkins Cloudbees Cd Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins CloudBees CD Plugin versions 1.1.21 and earlier Description: The issue concerns a lack of permission check in an HTTP endpoint, allowing attackers with Item/Read permission to schedule builds of projects without having Item/Build...

CVE-2017-1000108

The Pipeline: Input Step Plugin by default allowed users with Item/Read access to a pipeline to interact with the step to provide input. This has been changed, and now requires users to have the Item/Build permission instead...

Input validation

The Pipeline: Input Step Plugin by default allowed users with Item/Read access to a pipeline to interact with the step to provide input. This has been changed, and now requires users to have the Item/Build permission instead...

CVE-2017-1000108

CVE-2017-1000108 concerns the Jenkins Pipeline: Input Step Plugin. The vulnerability arises because, by default, users with Item/Read access could interact with the input step, potentially exposing sensitive workflow interactions. The issue is mitigated by changing the permission model so that on...

jenkins-plugin-subversion: CSRF vulnerability and insufficient permission checks allow capturing credentials (SECURITY-303)

Subversion Plugin improperly checked permissions, requiring just Item/Build instead of Item/Configure when used. This allows a user to specify an attacker-controlled Subversion server which can then be used to collect credentials used by the Subversion plugin...