CI/CD at Risk: High-Severity Jenkins XSS Flaw Exposes Build Environments

Maintainers of Jenkins, the world’s leading open-source automation server, have issued critical security updates to address two vulnerabilities within its core architecture. The advisory highlights a high-severity stored Cross-Site Scripting (XSS) flaw and a medium-severity information disclosure issue, both of which could allow rogue actors to manipulate or map out internal build environments.

The most critical of the two vulnerabilities, tracked as CVE-2026-27099, carries a High severity (CVSS) rating. The flaw resides in how Jenkins handles the text descriptions for nodes that have been taken offline.

According to the advisory, the vulnerability stems from a recent design choice regarding text formatting. “Since Jenkins 2.483, the description of the reason why a node is offline (the ‘offline cause’) is defined as containing HTML and rendered as such,” the report explains.

Unfortunately, the software failed to sanitize this input properly. “Jenkins 2.550 and earlier, LTS 2.541.1 and earlier does not escape the user-provided description of the ‘Mark temporarily offline’ offline cause”.

This oversight means that an attacker with Agent/Configure or Agent/Disconnect permissions can inject malicious scripts directly into the offline cause field. The advisory warns that “This results in a stored cross-site scripting (XSS) vulnerability,” meaning the malicious payload will execute in the browser of any administrator or user who subsequently views the node’s status.

The second vulnerability, CVE-2026-27100, is a Medium severity information disclosure bug tied to the “Run Parameter” feature.

In vulnerable versions, Jenkins “accepts Run Parameter values that refer to builds the user submitting the build does not have access to”.

While this doesn’t grant direct access to the source code or artifacts, it provides a valuable reconnaissance vector for malicious insiders. The advisory explains that “This allows attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name”.

For organizations relying on Jenkins for their CI/CD pipelines, updating is essential to close these security gaps. The Jenkins team has outlined clear upgrade paths for both their weekly and Long-Term Support (LTS) releases:

• Jenkins weekly: Administrators should update from versions up to 2.550 to the patched version 2.551.
• Jenkins LTS: Administrators should update from versions up to 2.541.1 to the patched version 2.541.2.

Related Posts:

• Security Vulnerabilities Uncovered in Jenkins: Immediate Updates Recommended
• Misconfigured Jenkins Servers Targeted in Cryptojacking Attacks
• Hackers earn $3 million by exploiting Jenkins servers and inserting mining Monero scripts
• RansomEXX Group Exploits Jenkins Vulnerability (CVE-2024-23897) in Major Indian Banking Attack