CVE-2026-53440
Summary
| CVE | CVE-2026-53440 |
|---|---|
| State | PUBLISHED |
| Assigner | jenkins |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-10 14:16:36 UTC |
| Updated | 2026-06-10 19:43:28 UTC |
| Description | Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain. |
Risk And Classification
Primary CVSS: v3.1 4.3 MEDIUM from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Problem Types: CWE-601 | CWE-601 CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Jenkins Project | Jenkins | unaffected 2.568 * maven | Not specified |
| CNA | Jenkins Project | Jenkins | unaffected 2.555.3 2.555.* maven | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.jenkins.io/security/advisory/2026-06-10 | [email protected] | www.jenkins.io | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.