CVE-2026-42522
Analyzed Analyzed - Analysis Complete
Missing Permission Check in Jenkins GitHub Branch Source Plugin

Publication date: 2026-04-29

Last updated on: 2026-05-06

Assigner: Jenkins Project

Description
A missing permission check in Jenkins GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42522
EUVD
EUVD-2026-26224
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jenkins github_branch_source to 1967.vdea_d580c1a_b_a (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should update the Jenkins GitHub Branch Source Plugin to a version later than 1967.vdea_d580c1a_b_a_ where the missing permission check issue is fixed.

Additionally, review and restrict the permissions of users with Overall/Read access to reduce the risk of exploitation.

Executive Summary

This vulnerability is a missing permission check in the Jenkins GitHub Branch Source Plugin version 1967.vdea_d580c1a_b_a_ and earlier. It allows attackers who have Overall/Read permission to connect to a URL specified by the attacker using attacker-specified GitHub App credentials.

Impact Analysis

An attacker with Overall/Read permission could exploit this vulnerability to connect Jenkins to an attacker-controlled URL using attacker-specified GitHub App credentials. This could potentially lead to unauthorized access or manipulation of Jenkins operations or data through the malicious URL.

Executive Summary

This vulnerability is a missing permission check in the Jenkins GitHub Branch Source Plugin version 1967.vdea_d580c1a_b_a_ and earlier. It allows attackers who have Overall/Read permission to connect to a URL specified by the attacker using attacker-specified GitHub App credentials.

Impact Analysis

An attacker with Overall/Read permission could exploit this vulnerability to connect to an attacker-controlled URL using GitHub App credentials they specify. This could potentially lead to unauthorized interactions with external systems or services, leveraging the Jenkins environment's permissions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42522. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart