A popular open-source automation server used by developers worldwide to build, test, and deploy software faces serious security risks from recent flaws. On February 18, 2026, two vulnerabilities were detailed in the core Jenkins software.
The most critical issue is a stored cross-site scripting (XSS) vulnerability that could allow attackers to inject malicious scripts into build environments, potentially stealing data or hijacking sessions.
These flaws affect thousands of organizations relying on Jenkins for continuous integration and delivery (CI/CD) pipelines. Attackers need only low-level permissions to exploit them, making quick patching essential.
The primary threat stems from how Jenkins handles node offline causes. When administrators mark an agent node as temporarily offline, they enter a description that Jenkins treats as HTML.
In vulnerable versions, this input isn’t properly escaped, allowing stored XSS. An attacker with Agent/Configure or Agent/Disconnect permissions could craft a malicious description that executes JavaScript when viewed by others, like admins checking node status.
This could lead to high-impact consequences, such as data theft, session hijacks, or further pipeline compromises in shared build farms.
A secondary issue involves building information leaks through Run Parameters. Users with Item/Build and Item/Configure permissions can submit parameters referencing builds they shouldn’t have access to.
Jenkins accepts these, revealing job existence, build details, and display names useful for reconnaissance in targeted attacks.
Jenkins Vulnerability Breakdown
| CVE ID | CVSS Score | Description |
|---|---|---|
| CVE-2026-27099 | High (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) | Stored XSS in node offline causes a description; unescaped user input renders as HTML, which is exploitable by permitted users. |
| CVE-2026-27100 | Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) | Run Parameter accepts invalid build references, leaking job/build existence and names to unauthorized users. |
Affected Versions and Fixes
| Type | Affected Versions | Fixed Versions |
|---|---|---|
| Weekly | Up to 2.550 | 2.551 |
| LTS | Up to 2.541.1 | 2.541.2 |
Update immediately to block exploits. On Jenkins 2.539+, Content Security Policy (CSP) mitigates the XSS flaw. Disable unnecessary permissions, such as Agent/Configure, for non-admins, said “Jenkins”.
Scan your CI/CD setups for exposed nodes and review recent offline logs. These issues highlight risks in automation tools: even trusted platforms need vigilance against permission abuse.
Organizations using Jenkins in cloud or on-prem environments should prioritize patches to protect sensitive build artifacts from XSS-driven chains. No active exploits are public yet, but the high CVSS score signals real danger for development teams.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
