CVE-2026-57288

Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name.
Configurations

Configuration 1 (hide)

cpe:2.3:a:jenkins:active_directory:*:*:*:*:*:jenkins:*:*

History

26 Jun 2026, 19:08

Type Values Removed Values Added
CPE cpe:2.3:a:jenkins:active_directory:*:*:*:*:*:jenkins:*:*
References () https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3651 - () https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3651 - Vendor Advisory
First Time Jenkins
Jenkins active Directory

24 Jun 2026, 15:16

Type Values Removed Values Added
CWE CWE-90
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 3.7

24 Jun 2026, 14:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-24 14:17

Updated : 2026-06-26 19:08


NVD link : CVE-2026-57288

Mitre link : CVE-2026-57288

CVE.ORG link : CVE-2026-57288


JSON object : View

Products Affected

jenkins

  • active_directory
CWE
CWE-90

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')