CVE-2026-27100
Information Disclosure via Insecure Run Parameter in Jenkins Builds
Publication date: 2026-02-18
Last updated on: 2026-02-20
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | jenkins | to 2.551 (exc) |
| jenkins | jenkins | to 2.541.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Jenkins versions 2.550 and earlier, including LTS 2.541.1 and earlier. It occurs because Jenkins accepts Run Parameter values that refer to builds which the user submitting the build does not have permission to access.
As a result, attackers who have Item/Build and Item/Configure permissions can exploit this flaw to obtain information about the existence of jobs, the existence of builds, and details such as the display name of a specified build, even if they are not authorized to view those builds.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized information disclosure. Attackers with certain permissions can learn about jobs and builds they should not have access to, potentially exposing sensitive project or build information.
While it does not allow direct access to build contents or execution, the exposure of metadata such as job existence and build display names can aid attackers in reconnaissance and further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know