Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name.
References
| Link | Resource |
|---|---|
| https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3651 | Vendor Advisory |
Configurations
History
26 Jun 2026, 19:08
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:jenkins:active_directory:*:*:*:*:*:jenkins:*:* | |
| References | () https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3651 - Vendor Advisory | |
| First Time |
Jenkins
Jenkins active Directory |
24 Jun 2026, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-90 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 3.7 |
24 Jun 2026, 14:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-24 14:17
Updated : 2026-06-26 19:08
NVD link : CVE-2026-57288
Mitre link : CVE-2026-57288
CVE.ORG link : CVE-2026-57288
JSON object : View
Products Affected
jenkins
- active_directory
CWE
CWE-90
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
