CVE-2026-42521
Jenkins Matrix Authorization Strategy Plugin Deserialization Flaw
Publication date: 2026-04-29
Last updated on: 2026-05-06
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | matrix_authorization_strategy | From 2.1 (inc) to 3.2.10 (exc) |
| jenkins | matrix_authorization_strategy | 2.0 |
| jenkins | matrix_authorization_strategy | 2.0 |
| jenkins | matrix_authorization_strategy | 2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Jenkins Matrix Authorization Strategy Plugin versions 2.0-beta-1 through 3.2.9. It occurs because the plugin invokes parameterless constructors of classes specified in its configuration during deserialization of inheritance strategies without restricting which classes can be instantiated.
This lack of restriction allows attackers who have Item/Configure permission to instantiate arbitrary types. Essentially, an attacker can create instances of any class available on the classpath, which can lead to unintended behavior.
How can this vulnerability impact me? :
This vulnerability can lead to information disclosure or other impacts depending on the classes that are available on the classpath.
Since attackers with Item/Configure permission can instantiate arbitrary types, they might exploit this to access sensitive information or cause other harmful effects within the Jenkins environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers with Item/Configure permission to instantiate arbitrary types during deserialization, which may lead to information disclosure or other impacts depending on the classes available on the classpath.
Information disclosure resulting from this vulnerability could potentially affect compliance with standards and regulations such as GDPR or HIPAA, which require protection of sensitive data and prevention of unauthorized access.
However, the specific impact on compliance depends on the nature of the information disclosed and the environment in which the plugin is used.
Can you explain this vulnerability to me?
The vulnerability exists in the Jenkins Matrix Authorization Strategy Plugin versions 2.0-beta-1 through 3.2.9. It occurs because the plugin invokes parameterless constructors of classes specified in its configuration during deserialization of inheritance strategies without restricting which classes can be instantiated.
This lack of restriction allows attackers who have Item/Configure permission to instantiate arbitrary classes. Depending on the classes available on the classpath, this can lead to information disclosure or other impacts.
How can this vulnerability impact me? :
An attacker with Item/Configure permission can exploit this vulnerability to instantiate arbitrary types within the Jenkins environment.
This may lead to information disclosure or other impacts depending on the classes available on the classpath, potentially compromising sensitive data or system integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the Jenkins Matrix Authorization Strategy Plugin to a version later than 3.2.9, as versions 2.0-beta-1 through 3.2.9 are affected.
Additionally, restrict permissions so that only trusted users have Item/Configure permission, since attackers require this permission to exploit the vulnerability.