CVE-2026-53438

Analyzed Analyzed - Analysis Complete

Missing Permission Check in Jenkins Allows Queue Cancellation

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: Jenkins Project

Description

A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-10

Last Modified

2026-06-11

Generated

2026-06-30

AI Q&A

2026-06-10

EPSS Evaluated

2026-06-29

NVD

CVE-2026-53438

EUVD

EUVD-2026-36022

Affected Vendors & Products

Vendor	Product	Version / Range
jenkins	jenkins	to 2.568 (exc)
jenkins	jenkins	to 2.555.3 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-862	The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

Executive Summary

This vulnerability is a missing permission check in Jenkins versions 2.567 and earlier, including LTS 2.555.2 and earlier. It allows attackers who have the Item/Cancel permission but do not have the Item/Read permission to cancel queue items that they are not authorized to view.

Impact Analysis

The vulnerability can allow unauthorized users to interfere with Jenkins job queues by canceling jobs they should not have access to. This can disrupt build processes, cause denial of service to legitimate jobs, and potentially impact the reliability and availability of continuous integration workflows.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Jenkins to a version later than 2.567 or LTS later than 2.555.2, where the issue has been fixed.

Hi! I’m here to help you understand CVE-2026-53438. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70