• Category: Security
  • Status: confirmed
  • Sources: Jenkins security advisory 2026-06-10, cybersecuritynews.com
  • Summary: Jenkins published a security advisory on 2026-06-10 covering multiple CVEs in Jenkins core and plugins. Jenkins 2.568 and LTS 2.555.3 restrict deserialization types in agent-controller communication and configuration loading, closing a vector for deserialization attacks. CVE-2026-53436 and CVE-2026-53437 fix improper URL redirect validation in the default login flow that could redirect authenticated users to attacker-controlled sites. CVE-2026-53442 fixes config.xml POST submissions writing plaintext secrets to disk where users with Item/Extended Read permission could read them. CVE-2026-53438 fixes a missing Item/Read permission check allowing users with Item/Cancel permission to cancel arbitrary queue items.
  • Why it matters: CI/CD servers are high-value targets; Jenkins operators should upgrade to 2.568 or LTS 2.555.3 to close the deserialization and secret-exposure vectors.

Send feedback on this story