CVE-2026-27099
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in Jenkins allows attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts into the 'Mark temporarily offline' description field. When administrators view affected agent pages, the scripts execute in their browser context, potentially compromising their sessions or performing unauthorized actions. Jenkins instances running versions 2.483 through 2.550 or LTS 2.492.1 through 2.541.1 are affected.
💻 Affected Systems
- Jenkins
📦 What is this software?
Jenkins by Jenkins
Jenkins by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as administrators (including installing malicious plugins, modifying configurations, or accessing sensitive data), and potentially pivot to other systems in the environment.
Likely Case
Attackers with appropriate permissions could steal administrator credentials, modify Jenkins configurations, or redirect users to malicious sites. The impact is limited to users with access to the affected agent pages.
If Mitigated
With proper access controls and input validation, the risk is reduced to minimal impact, though the vulnerability still exists in the codebase.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions. The vulnerability is straightforward to exploit once an attacker has the required permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Jenkins 2.551, LTS 2.541.2
Vendor Advisory: https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3669
Restart Required: Yes
Instructions:
1. Backup your Jenkins instance. 2. Download Jenkins 2.551 or LTS 2.541.2 from the official website. 3. Stop the Jenkins service. 4. Install the updated version following your platform's installation procedures. 5. Restart the Jenkins service. 6. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Agent Permissions
allTemporarily remove Agent/Configure and Agent/Disconnect permissions from users who don't absolutely need them to reduce the attack surface.
Content Security Policy
allImplement a strict Content Security Policy (CSP) header to mitigate XSS impact by restricting script execution sources.
🧯 If You Can't Patch
- Review and restrict Agent/Configure and Agent/Disconnect permissions to only essential users
- Monitor agent configuration changes and audit logs for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Jenkins version via Manage Jenkins > About Jenkins or by examining the WAR file version. If version is between 2.483-2.550 or LTS 2.492.1-2.541.1, the instance is vulnerable.Check Version:
java -jar jenkins.war --version (or check the Jenkins web interface at /manage/about)Verify Fix Applied:
After updating, verify the version shows 2.551 or higher, or LTS 2.541.2 or higher in the About Jenkins page.📡 Detection & Monitoring
Log Indicators:
- Unusual agent configuration changes
- Multiple failed permission attempts to Agent/Configure or Agent/Disconnect
- Suspicious user activity patterns
Network Indicators:
- Unexpected outbound connections from Jenkins server after agent page views
- Unusual HTTP requests to agent configuration endpoints
SIEM Query:
source="jenkins.log" AND ("Agent/Configure" OR "Agent/Disconnect") AND ("description" OR "offline cause")