Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Jenkins: Unauthorized users can access build information
CVE-2026-27100
GHSA-wfhp-qgm8-5p5c
Summary
Old versions of Jenkins allow unauthorized users to see information about builds they shouldn't have access to, including job and build existence. This could be a security risk if your Jenkins instance stores sensitive information in build names. To stay safe, update to the latest version of Jenkins.
What to do
- Update jenkins-ci org.jenkins-ci.main:jenkins-core to version 2.551.
- Update jenkins-ci org.jenkins-ci.main:jenkins-core to version 2.541.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| jenkins-ci | org.jenkins-ci.main:jenkins-core | > 2.542 , <= 2.551 | 2.551 |
| jenkins-ci | org.jenkins-ci.main:jenkins-core | <= 2.541.2 | 2.541.2 |
| jenkins | jenkins | <= 2.541.2 | – |
| jenkins | jenkins | <= 2.551 | – |
Original title
Jenkins has a build information disclosure vulnerability through Run Parameter
Original description
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.
nvd CVSS3.1
4.3
Vulnerability type
CWE-200
Information Exposure
- https://nvd.nist.gov/vuln/detail/CVE-2026-27100
- https://github.com/jenkinsci/jenkins/commit/f92eadb5813f04ca27439455e2573c3171e9...
- https://github.com/jenkinsci/jenkins/releases/tag/jenkins-2.551
- https://github.com/jenkinsci/jenkins/releases/tag/jenkins-2.541.2
- https://github.com/advisories/GHSA-wfhp-qgm8-5p5c
- https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658 Vendor Advisory
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026