CVE-2026-42520

HIGH7.5EPSS 2.7%

Jenkins Credentials Binding Plugin has a path traversal vulnerability

Published: 4/29/2026Modified: 5/6/2026

Description

Jenkins Credentials Binding Plugin versions 719.v80e905ef14eb_ and earlier do not sanitize file names for file and zip file credentials. This allows attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem. If Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node, this can lead to remote code execution. Credentials Binding Plugin 720.v3f6decef43ea_ sanitizes the file name provided for file and zip file credentials, preventing path traversal.

Affected packages (1)

Maven/org.jenkins-ci.plugins:credentials-bindingfrom 0, < 720.v3f6decef43ea

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-42520
PATCHhttps://github.com/jenkinsci/credentials-binding-plugin
WEBhttps://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3672