CVE-2026-42525

MEDIUM4.3EPSS 0.04%

Jenkins Microsoft Entra ID (previously Azure AD) Plugin has an open redirect vulnerability

Published: 4/29/2026Modified: 5/6/2026

Description

Jenkins Microsoft Entra ID (previously Azure AD) Plugin versions 666.v6060de32f87d and earlier do not restrict the redirect URL after login. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. Microsoft Entra ID (previously Azure AD) Plugin 667.v4c5827a_e74a_0 only redirects to relative (Jenkins) URLs.

Affected packages (1)

Maven/org.jenkins-ci.plugins:azure-adfrom 0, < 667.v4c5827a

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-42525
PATCHhttps://github.com/jenkinsci/azure-ad-plugin
WEBhttps://www.jenkins.io/security/advisory/2026-04-29/#SECURITY-3760