CVE-2026-42520
Published: 29 April 2026
Summary
CVE-2026-42520 is a high-severity Path Traversal (CWE-22) vulnerability in Jenkins Credentials Binding. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability CVE-2026-42520 is a path traversal flaw (CWE-22) in the Jenkins Credentials Binding Plugin versions 719.v80e905ef14eb_ and earlier. The plugin fails to sanitize file names supplied for file and zip file credentials, enabling writes to arbitrary filesystem locations on the Jenkins node.
An attacker able to supply credentials to a job can exploit the issue to achieve arbitrary file writes. When Jenkins permits low-privileged users to configure file or zip file credentials for jobs running on the built-in node, this can be escalated to remote code execution.
The Jenkins security advisory published at https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3672 documents the issue and associated remediation steps.
The EPSS score for the CVE has remained flat at 0.0274 with no material rise from its initial value.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26221
Vulnerability details
Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead…
more
to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enabling arbitrary file writes on Jenkins node with low privileges directly maps to exploiting public-facing application (T1190) and privilege escalation to RCE (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires input validation mechanisms that directly prevent path traversal attacks by sanitizing file names provided for file and zip credentials.
SI-2 mandates timely flaw remediation, such as applying the official Jenkins patch for this plugin vulnerability to eliminate the sanitization failure.
AC-6 enforces least privilege to restrict low-privileged users from configuring file or zip credentials for jobs on the built-in node, blocking the attack prerequisite.