CVE-2026-42520
Jenkins Credentials Binding Plugin Path Traversal Vulnerability
Publication date: 2026-04-29
Last updated on: 2026-05-06
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | credentials_binding | to 719.v80e905ef14eb (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Jenkins Credentials Binding Plugin version 719.v80e905ef14eb_ and earlier does not properly sanitize file names for file and zip file credentials. This flaw allows attackers who can provide credentials to a Jenkins job to write files to arbitrary locations on the node's filesystem.
If Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node, this vulnerability can be exploited to write malicious files, potentially leading to remote code execution.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized file writes to arbitrary locations on the Jenkins node filesystem.
Such unauthorized file writes can lead to remote code execution, allowing attackers to execute arbitrary code on the Jenkins server with the privileges of the Jenkins process.
This can compromise the integrity, confidentiality, and availability of the Jenkins environment and potentially the broader infrastructure it interacts with.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Jenkins Credentials Binding Plugin to a version later than 719.v80e905ef14eb_ where the issue with unsanitized file names for file and zip file credentials is fixed.
Additionally, review and restrict permissions so that low-privileged users cannot configure file or zip file credentials used for jobs running on the built-in node, as this configuration can lead to remote code execution.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Jenkins Credentials Binding Plugin versions 719.v80e905ef14eb_ and earlier, which do not sanitize file names for file and zip file credentials. Detection involves verifying the plugin version and checking if Jenkins allows low-privileged users to configure file or zip file credentials for jobs running on the built-in node.
To detect if your Jenkins instance is vulnerable, you can:
- Check the installed version of the Credentials Binding Plugin to see if it is 719.v80e905ef14eb_ or earlier.
- Review Jenkins job configurations to identify if any low-privileged users have permission to configure file or zip file credentials.
- Look for suspicious files written to arbitrary locations on the node filesystem, which could indicate exploitation.
Suggested commands to assist detection (run on the Jenkins server or via Jenkins CLI):
- To check the plugin version, use: `jenkins-cli.jar -s http://your-jenkins-server/ list-plugins | grep credentials-binding`
- To find jobs configured with file or zip file credentials, you can search job configuration XML files for relevant credential bindings, for example: `grep -r '<file>' $JENKINS_HOME/jobs/`
- To detect unexpected files on the node filesystem, use commands like: `find /path/to/jenkins/node/workspace -type f -mtime -7` to find recently modified files.
Note: No specific detection commands are provided in the available resources, so these suggestions are based on the nature of the vulnerability.
Can you explain this vulnerability to me?
The vulnerability exists in the Jenkins Credentials Binding Plugin version 719.v80e905ef14eb_ and earlier. It occurs because the plugin does not properly sanitize file names for file and zip file credentials. This flaw allows attackers who can provide credentials to a Jenkins job to write files to arbitrary locations on the node's filesystem.
If Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node, this vulnerability can be exploited.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on the Jenkins node. An attacker who can supply credentials to a job may write malicious files to arbitrary locations on the filesystem, potentially allowing them to execute arbitrary code with the permissions of the Jenkins process.