Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 4.3 Maven

Jenkins GitHub Branch Source Plugin: Missing permissions check allows attackers to perform a connection test

GHSA-wg26-8wmj-cf9p · CVE-2026-42522

Published · Modified

Description

Jenkins GitHub Branch Source Plugin versions 1967.vdea_d580c1a_b_a_ and earlier do not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials.

GitHub Branch Source Plugin 1967.1969.v205fd594c821 requires Overall/Manage permission to perform the connection test.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes