CVE-2026-53436
Received Received - Intake
Jenkins Login Redirect Phishing via Relative Paths

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: Jenkins Project

Description
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-53436
EUVD
EUVD-2026-36020
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
jenkinsci jenkins to 2.568 (exc)
jenkinsci jenkins to 2.555.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53436 is an open redirect vulnerability in Jenkins versions 2.567 and earlier, including LTS 2.555.2 and earlier. It occurs during the default login flow where Jenkins improperly validates redirect URLs that contain relative path segments such as './' or '../'.

Because of this improper validation, browsers interpret these relative path segments as protocol-relative URLs starting with '//', which can redirect users to attacker-controlled domains after login.

Impact Analysis

This vulnerability allows attackers to perform phishing attacks by redirecting users to malicious websites after they log in to Jenkins.

Users may be tricked into believing they are still interacting with Jenkins, potentially exposing sensitive information or credentials to attackers.

Detection Guidance

This vulnerability involves Jenkins improperly validating redirect URLs after login that contain relative path segments such as ./ or ../, which can lead to open redirect phishing attacks.

To detect this vulnerability on your system, you can test the login redirect behavior by attempting to access Jenkins login URLs with crafted redirect parameters containing relative path segments.

For example, you can use curl commands to simulate login redirects and observe if Jenkins improperly redirects to attacker-controlled domains.

  • curl -v 'http://your-jenkins-server/login?redirect=./malicious.com'
  • curl -v 'http://your-jenkins-server/login?redirect=../malicious.com'

If Jenkins redirects to the specified relative path or an external domain, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade Jenkins to a fixed version where this vulnerability is addressed.

  • Upgrade Jenkins to version 2.568 or later.
  • If using the Long-Term Support (LTS) version, upgrade to LTS 2.555.3 or later.

These versions include a fix that strips tab and newline characters before URL validation and rejects URLs containing // anywhere, preventing the open redirect issue.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53436. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart