{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27100", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2026-02-17T16:48:49.373Z", "datePublished": "2026-02-18T14:17:44.672Z", "dateUpdated": "2026-02-18T14:53:33.264Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2026-02-18T14:17:44.672Z"}, "affected": [{"vendor": "Jenkins Project", "product": "Jenkins", "versions": [{"version": "2.551", "versionType": "maven", "lessThan": "*", "status": "unaffected"}, {"version": "2.541.2", "versionType": "maven", "lessThan": "2.541.*", "status": "unaffected"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name."}], "references": [{"name": "Jenkins Security Advisory 2026-02-18", "url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658", "tags": ["vendor-advisory"]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T14:50:38.503514Z", "id": "CVE-2026-27100", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T14:53:33.264Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27100", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T14:50:38.503514Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T14:52:48.220Z"}}], "cna": {"affected": [{"vendor": "Jenkins Project", "product": "Jenkins", "versions": [{"status": "unaffected", "version": "2.551", "lessThan": "*", "versionType": "maven"}, {"status": "unaffected", "version": "2.541.2", "lessThan": "2.541.*", "versionType": "maven"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658", "name": "Jenkins Security Advisory 2026-02-18", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2026-02-18T14:17:44.672Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27100", "state": "PUBLISHED", "dateUpdated": "2026-02-18T14:53:33.264Z", "dateReserved": "2026-02-17T16:48:49.373Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2026-02-18T14:17:44.672Z", "assignerShortName": "jenkins"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "1BA732A2-5EA7-4C70-AF40-4E696689C4F7", "versionEndExcluding": "2.541.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "2D2F2C2E-E436-4367-B067-C8E6CE7ECBD8", "versionEndExcluding": "2.551", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name."}, {"lang": "es", "value": "Jenkins 2.550 y anteriores, LTS 2.541.1 y anteriores acepta valores de par\u00e1metros de ejecuci\u00f3n que hacen referencia a compilaciones a las que el usuario que env\u00eda la compilaci\u00f3n no tiene acceso, permitiendo a atacantes con permiso de Elemento/Compilaci\u00f3n y Elemento/Configurar obtener informaci\u00f3n sobre la existencia de trabajos, la existencia de compilaciones, y si una compilaci\u00f3n especificada existe, su nombre de visualizaci\u00f3n."}], "id": "CVE-2026-27100", "lastModified": "2026-02-20T20:53:16.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-18T15:18:43.967", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters", "id": "2440637", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440637"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-551", "details": ["A flaw was found in Jenkins. An attacker with Item/Build and Item/Configure permissions can exploit this vulnerability by submitting Run Parameter values that refer to builds they do not have authorization to access. This allows the attacker to obtain sensitive information, including the existence of jobs, the existence of builds, and the display names of specific builds. This is an information disclosure vulnerability."], "name": "CVE-2026-27100", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "ocp-tools-4/jenkins-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Fix deferred", "package_name": "ocp-tools-4/jenkins-rhel9", "product_name": "OpenShift Developer Tools and Services"}], "public_date": "2026-02-18T14:17:44Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27100\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27100\nhttps://www.jenkins.io/security/advisory/2026-02-18/#SECURITY-3658"], "statement": "This information disclosure vulnerability in Jenkins allows an attacker with Item/Build and Item/Configure permissions to gain knowledge about the existence and display names of jobs and builds they are not authorized to access. This affects Jenkins instances in OpenShift Developer Tools & Services.", "threat_severity": "Moderate"}

{"created": "2026-02-19T10:19:45.252992+00:00", "updated": "2026-02-19T10:19:45.253079+00:00", "vendors": ["jenkins_project", "jenkins_project$PRODUCT$jenkins"]}