CVE-2026-42520

High

Published: 29 April 2026

Published

29 April 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0239 85.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42520 is a high-severity Path Traversal (CWE-22) vulnerability in Jenkins Credentials Binding. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires input validation mechanisms that directly prevent path traversal attacks by sanitizing file names provided for file and zip credentials.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely flaw remediation, such as applying the official Jenkins patch for this plugin vulnerability to eliminate the sanitization failure.

AC-6 Least Privilege good match

prevent

AC-6 enforces least privilege to restrict low-privileged users from configuring file or zip credentials for jobs on the built-in node, blocking the attack prerequisite.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Path traversal enabling arbitrary file writes on Jenkins node with low privileges directly maps to exploiting public-facing application (T1190) and privilege escalation to RCE (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead…

to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.

Deeper analysisAI

CVE-2026-42520 is a path traversal vulnerability (CWE-22) in the Jenkins Credentials Binding Plugin versions 719.v80e905ef14eb_ and earlier. The flaw arises because the plugin fails to properly sanitize file names for file and zip file credentials, enabling arbitrary file writes on the affected node's filesystem. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker requires low privileges to provide credentials to a Jenkins job. By supplying malicious file names, they can write files to arbitrary locations on the node filesystem. If the Jenkins instance is configured to permit low-privileged users to set file or zip file credentials for jobs executing on the built-in node, this can result in remote code execution.

The official Jenkins security advisory details available patches and mitigation steps: https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3672.