CVE-2026-42525
Microsoft Entra ID Plugin Unsafe Redirect Phishing Vulnerability
Publication date: 2026-04-29
Last updated on: 2026-05-05
Assigner: Jenkins Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jenkins | azure_ad | to 666.v6060de32f87d (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Jenkins Microsoft Entra ID (previously Azure AD) Plugin version 666.v6060de32f87d and earlier. It does not restrict the redirect URL after login, which means that after a user logs in, the plugin can redirect them to an arbitrary URL.
This lack of restriction allows attackers to exploit the plugin by redirecting users to malicious websites, enabling phishing attacks.
How can this vulnerability impact me? :
This vulnerability can impact you by enabling attackers to perform phishing attacks through the Jenkins Microsoft Entra ID Plugin.
- Users may be redirected to malicious sites after login without their knowledge.
- Attackers can steal sensitive information by tricking users into entering credentials or other personal data on fake websites.
- It undermines the trust in the authentication process of Jenkins environments using this plugin.
Can you explain this vulnerability to me?
The Jenkins Microsoft Entra ID (previously Azure AD) Plugin version 666.v6060de32f87d and earlier does not restrict the redirect URL after login.
This flaw allows attackers to manipulate the redirect URL, enabling them to perform phishing attacks by redirecting users to malicious sites after they log in.
How can this vulnerability impact me? :
This vulnerability can be exploited by attackers to conduct phishing attacks.
Users may be redirected to malicious websites after login, potentially leading to credential theft or other malicious activities.
The vulnerability has a CVSS base score of 4.3, indicating a medium severity with low attack complexity but requiring user interaction.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in Jenkins Microsoft Entra ID Plugin 666.v6060de32f87d and earlier, you should update the plugin to a version that restricts the redirect URL after login.
Since the vulnerability allows phishing attacks by not restricting redirect URLs, applying the latest security updates or patches provided by Jenkins is the immediate recommended step.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not include information about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.