Cyber Resilience

CVE-2026-42520

High

Published: 29 April 2026

Published
29 April 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0274 86.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42520 is a high-severity Path Traversal (CWE-22) vulnerability in Jenkins Credentials Binding. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability CVE-2026-42520 is a path traversal flaw (CWE-22) in the Jenkins Credentials Binding Plugin versions 719.v80e905ef14eb_ and earlier. The plugin fails to sanitize file names supplied for file and zip file credentials, enabling writes to arbitrary filesystem locations on the Jenkins node.

An attacker able to supply credentials to a job can exploit the issue to achieve arbitrary file writes. When Jenkins permits low-privileged users to configure file or zip file credentials for jobs running on the built-in node, this can be escalated to remote code execution.

The Jenkins security advisory published at https://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3672 documents the issue and associated remediation steps.

The EPSS score for the CVE has remained flat at 0.0274 with no material rise from its initial value.

EU & UK References

Vulnerability details

Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead…

more

to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Path traversal enabling arbitrary file writes on Jenkins node with low privileges directly maps to exploiting public-facing application (T1190) and privilege escalation to RCE (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-48922Same product: Jenkins Credentials Binding
CVE-2026-33001Same vendor: Jenkins
CVE-2025-62630Shared CWE-22
CVE-2025-60786Shared CWE-22
CVE-2025-27590Shared CWE-22
CVE-2025-12422Shared CWE-22
CVE-2026-32727Shared CWE-22
CVE-2026-40258Shared CWE-22
CVE-2025-41757Shared CWE-22
CVE-2026-4858Shared CWE-22

Affected Assets

jenkins
credentials binding
≤ 719.v80e905ef14eb

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires input validation mechanisms that directly prevent path traversal attacks by sanitizing file names provided for file and zip credentials.

prevent

SI-2 mandates timely flaw remediation, such as applying the official Jenkins patch for this plugin vulnerability to eliminate the sanitization failure.

prevent

AC-6 enforces least privilege to restrict low-privileged users from configuring file or zip credentials for jobs on the built-in node, blocking the attack prerequisite.

References