CVE-2026-42525
Analyzed Analyzed - Analysis Complete
Microsoft Entra ID Plugin Unsafe Redirect Phishing Vulnerability

Publication date: 2026-04-29

Last updated on: 2026-05-05

Assigner: Jenkins Project

Description
Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42525
EUVD
EUVD-2026-26227
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jenkins azure_ad to 666.v6060de32f87d (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Jenkins Microsoft Entra ID (previously Azure AD) Plugin version 666.v6060de32f87d and earlier. It does not restrict the redirect URL after login, which means that after a user logs in, the plugin can redirect them to an arbitrary URL.

This lack of restriction allows attackers to exploit the plugin by redirecting users to malicious websites, enabling phishing attacks.

Impact Analysis

This vulnerability can impact you by enabling attackers to perform phishing attacks through the Jenkins Microsoft Entra ID Plugin.

  • Users may be redirected to malicious sites after login without their knowledge.
  • Attackers can steal sensitive information by tricking users into entering credentials or other personal data on fake websites.
  • It undermines the trust in the authentication process of Jenkins environments using this plugin.
Executive Summary

The Jenkins Microsoft Entra ID (previously Azure AD) Plugin version 666.v6060de32f87d and earlier does not restrict the redirect URL after login.

This flaw allows attackers to manipulate the redirect URL, enabling them to perform phishing attacks by redirecting users to malicious sites after they log in.

Impact Analysis

This vulnerability can be exploited by attackers to conduct phishing attacks.

Users may be redirected to malicious websites after login, potentially leading to credential theft or other malicious activities.

The vulnerability has a CVSS base score of 4.3, indicating a medium severity with low attack complexity but requiring user interaction.

Mitigation Strategies

To mitigate the vulnerability in Jenkins Microsoft Entra ID Plugin 666.v6060de32f87d and earlier, you should update the plugin to a version that restricts the redirect URL after login.

Since the vulnerability allows phishing attacks by not restricting redirect URLs, applying the latest security updates or patches provided by Jenkins is the immediate recommended step.

Compliance Impact

The provided context and resources do not include information about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42525. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart