CVE-2026-42521
Analyzed Analyzed - Analysis Complete
Jenkins Matrix Authorization Strategy Plugin Deserialization Flaw

Publication date: 2026-04-29

Last updated on: 2026-05-06

Assigner: Jenkins Project

Description
Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42521
EUVD
EUVD-2026-26222
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
jenkins matrix_authorization_strategy From 2.1 (inc) to 3.2.10 (exc)
jenkins matrix_authorization_strategy 2.0
jenkins matrix_authorization_strategy 2.0
jenkins matrix_authorization_strategy 2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Jenkins Matrix Authorization Strategy Plugin versions 2.0-beta-1 through 3.2.9. It occurs because the plugin invokes parameterless constructors of classes specified in its configuration during deserialization of inheritance strategies without restricting which classes can be instantiated.

This lack of restriction allows attackers who have Item/Configure permission to instantiate arbitrary classes. Depending on the classes available on the classpath, this can lead to information disclosure or other impacts.

Impact Analysis

An attacker with Item/Configure permission can exploit this vulnerability to instantiate arbitrary types within the Jenkins environment.

This may lead to information disclosure or other impacts depending on the classes available on the classpath, potentially compromising sensitive data or system integrity.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Jenkins Matrix Authorization Strategy Plugin to a version later than 3.2.9, as versions 2.0-beta-1 through 3.2.9 are affected.

Additionally, restrict permissions so that only trusted users have Item/Configure permission, since attackers require this permission to exploit the vulnerability.

Executive Summary

The vulnerability exists in the Jenkins Matrix Authorization Strategy Plugin versions 2.0-beta-1 through 3.2.9. It occurs because the plugin invokes parameterless constructors of classes specified in its configuration during deserialization of inheritance strategies without restricting which classes can be instantiated.

This lack of restriction allows attackers who have Item/Configure permission to instantiate arbitrary types. Essentially, an attacker can create instances of any class available on the classpath, which can lead to unintended behavior.

Impact Analysis

This vulnerability can lead to information disclosure or other impacts depending on the classes that are available on the classpath.

Since attackers with Item/Configure permission can instantiate arbitrary types, they might exploit this to access sensitive information or cause other harmful effects within the Jenkins environment.

Compliance Impact

This vulnerability allows attackers with Item/Configure permission to instantiate arbitrary types during deserialization, which may lead to information disclosure or other impacts depending on the classes available on the classpath.

Information disclosure resulting from this vulnerability could potentially affect compliance with standards and regulations such as GDPR or HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the specific impact on compliance depends on the nature of the information disclosed and the environment in which the plugin is used.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42521. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart