CVE-2026-42522
published 2026-04-29CVE-2026-42522: A missing permission check in Jenkins GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and earlier allows attackers with Overall/Read permission to connect…
medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
A missing permission check in Jenkins GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | credentials_binding | — | — |
| jenkins | credentials_binding_plugin | — | — |
| jenkins | github | — | — |
| jenkins | github_branch_source | <= 1967.vdea_d580c1a_b_a | — |
| jenkins | github_branch_source | — | — |
| jenkins | github_branch_source_plugin | — | — |
| jenkins | github_plugin | — | — |
| jenkins | html_publisher | — | — |
| jenkins | html_publisher_plugin | — | — |
| jenkins | matrix_authorization_strategy | — | — |
| jenkins | matrix_authorization_strategy_plugin | — | — |
| jenkins | script_security | — | — |
| jenkins | script_security_plugin | — | — |
| jenkins_project | jenkins_github_branch_source_plugin | <= 1967.vdea_d580c1a_b_a_ | — |