Jenkins is missing a permission check on password fields

GHSA-p3f5-98cv-562j · BIT-jenkins-2025-67636 · CVE-2025-67636

Published Dec 10, 2025 · Modified Feb 4, 2026

Description

A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-67636
WEB https://github.com/jenkinsci/jenkins/commit/3ee7380c5e167fab865f58b52a81ef01c24b9eb2
PACKAGE https://github.com/jenkinsci/jenkins
WEB https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-1809

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes