CVE-2026-42522
Missing Permission Check in Jenkins GitHub Branch Source Plugin
Publication date: 2026-04-29
Last updated on: 2026-05-06
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | github_branch_source | to 1967.vdea_d580c1a_b_a (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a missing permission check in the Jenkins GitHub Branch Source Plugin version 1967.vdea_d580c1a_b_a_ and earlier. It allows attackers who have Overall/Read permission to connect to a URL specified by the attacker using attacker-specified GitHub App credentials.
How can this vulnerability impact me? :
An attacker with Overall/Read permission could exploit this vulnerability to connect Jenkins to an attacker-controlled URL using attacker-specified GitHub App credentials. This could potentially lead to unauthorized access or manipulation of Jenkins operations or data through the malicious URL.
Can you explain this vulnerability to me?
This vulnerability is a missing permission check in the Jenkins GitHub Branch Source Plugin version 1967.vdea_d580c1a_b_a_ and earlier. It allows attackers who have Overall/Read permission to connect to a URL specified by the attacker using attacker-specified GitHub App credentials.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Jenkins GitHub Branch Source Plugin to a version later than 1967.vdea_d580c1a_b_a_ where the missing permission check issue is fixed.
Additionally, review and restrict the permissions of users with Overall/Read access to reduce the risk of exploitation.
How can this vulnerability impact me? :
An attacker with Overall/Read permission could exploit this vulnerability to connect to an attacker-controlled URL using GitHub App credentials they specify. This could potentially lead to unauthorized interactions with external systems or services, leveraging the Jenkins environment's permissions.