Jenkins Microsoft Entra ID (previously Azure AD) Plugin has an open redirect vulnerability

GHSA-jp6g-g3v3-6gvf · CVE-2026-42525

Published Apr 29, 2026 · Modified May 6, 2026

Description

Jenkins Microsoft Entra ID (previously Azure AD) Plugin versions 666.v6060de32f87d and earlier do not restrict the redirect URL after login.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

Microsoft Entra ID (previously Azure AD) Plugin 667.v4c5827a_e74a_0 only redirects to relative (Jenkins) URLs.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-42525
PACKAGE https://github.com/jenkinsci/azure-ad-plugin
WEB https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3760

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes