CVE-2026-53437
Modified Modified - Updated After Analysis

Jenkins Login Redirect Phishing via Tab/Newline Characters

Publication date: 2026-06-10

Last updated on: 2026-06-30

Assigner: Jenkins Project

Description
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-29
NVD
CVE-2026-53437
EUVD
EUVD-2026-36021

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
jenkins jenkins to 2.568 (exc)
jenkins jenkins to 2.555.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Jenkins versions 2.567 and earlier, including LTS 2.555.2 and earlier. It occurs because Jenkins improperly determines that a redirect URL after login is legitimately pointing to Jenkins when the URL contains tab or newline characters between the double slashes (//).

This flaw allows attackers to craft malicious redirect URLs that appear to be safe but actually lead users to phishing sites.

Impact Analysis

The vulnerability can be exploited by attackers to perform phishing attacks by redirecting users to malicious sites after login, potentially leading to credential theft or other malicious activities.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves improper validation of redirect URLs after login in Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier. Detection involves checking if the Jenkins instance accepts redirect URLs containing tab or newline characters between //, which can be exploited for phishing.

To detect this on your system, you can attempt to send crafted login requests with redirect URLs containing tab or newline characters between // and observe if Jenkins redirects to an external domain.

Example command using curl to test the redirect behavior:

  • curl -i -X POST -d 'j_username=yourusername&j_password=yourpassword&from=%2F%09%2Fmalicious.com' https://your-jenkins-url/login

Replace %09 with tab character encoding or %0A for newline in the 'from' parameter to test if Jenkins improperly redirects.

Mitigation Strategies

The immediate mitigation step is to upgrade Jenkins to a fixed version where the vulnerability is addressed.

  • Upgrade Jenkins to version 2.568 or later, or LTS 2.555.3 or later.

These versions strip tab and newline characters before URL validation and reject URLs containing // anywhere, preventing the open redirect vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53437. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart