{"api_version":"1","generated_at":"2026-06-25T02:56:59+00:00","cve":"CVE-2026-57288","urls":{"html":"https://cve.report/CVE-2026-57288","api":"https://cve.report/api/cve/CVE-2026-57288.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-57288","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-57288"},"summary":{"title":"CVE-2026-57288","description":"Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name.","state":"PUBLISHED","assigner":"jenkins","published_at":"2026-06-24 14:17:35","updated_at":"2026-06-24 15:16:44"},"problem_types":["CWE-90","CWE-90 CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"3.7","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.7,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"3.7","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3651","name":"https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3651","refsource":"jenkinsci-cert@googlegroups.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-57288","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-57288","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Jenkins Project","product":"Jenkins Active Directory Plugin","version":"affected 2.41.1 maven","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.7,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-57288","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-24T14:13:46.534006Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-90","description":"CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-24T14:14:28.743Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Jenkins Active Directory Plugin","vendor":"Jenkins Project","versions":[{"lessThanOrEqual":"2.41.1","status":"affected","version":"0","versionType":"maven"}]}],"descriptions":[{"lang":"en","value":"Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name."}],"providerMetadata":{"dateUpdated":"2026-06-24T13:20:08.700Z","orgId":"39769cd5-e6e2-4dc8-927e-97b3aa056f5b","shortName":"jenkins"},"references":[{"name":"Jenkins Security Advisory 2026-06-24","tags":["vendor-advisory"],"url":"https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3651"}]}},"cveMetadata":{"assignerOrgId":"39769cd5-e6e2-4dc8-927e-97b3aa056f5b","assignerShortName":"jenkins","cveId":"CVE-2026-57288","datePublished":"2026-06-24T13:20:08.700Z","dateReserved":"2026-06-24T08:41:44.358Z","dateUpdated":"2026-06-24T14:14:28.743Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 14:17:35","lastModifiedDate":"2026-06-24 15:16:44","problem_types":["CWE-90","CWE-90 CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-24T14:13:46.534006Z","id":"CVE-2026-57288","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"57288","Ordinal":"1","Title":"CVE-2026-57288","CVE":"CVE-2026-57288","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"57288","Ordinal":"1","NoteData":"Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name.","Type":"Description","Title":"CVE-2026-57288"}]}}}