CVE-2026-27100
Received Received - Intake
Information Disclosure via Insecure Run Parameter in Jenkins Builds

Publication date: 2026-02-18

Last updated on: 2026-02-20

Assigner: Jenkins Project

Description
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27100
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
jenkins jenkins to 2.551 (exc)
jenkins jenkins to 2.541.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Jenkins versions 2.550 and earlier, including LTS 2.541.1 and earlier. It occurs because Jenkins accepts Run Parameter values that refer to builds which the user submitting the build does not have permission to access.

As a result, attackers who have Item/Build and Item/Configure permissions can exploit this flaw to obtain information about the existence of jobs, the existence of builds, and details such as the display name of a specified build, even if they are not authorized to view those builds.

Impact Analysis

This vulnerability can lead to unauthorized information disclosure. Attackers with certain permissions can learn about jobs and builds they should not have access to, potentially exposing sensitive project or build information.

While it does not allow direct access to build contents or execution, the exposure of metadata such as job existence and build display names can aid attackers in reconnaissance and further attacks.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27100. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart