CVE-2026-27100

MEDIUM

org.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters

CVSS v3

4.3

MEDIUM

EPSS Score

0.2%

exploit probability

CISA KEV

No

known exploited

Exploitation

none

SSVC status

Description

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.

Technical Details

CVSS v3 Vector
3.1
Published
2/18/2026
Last Modified
2/20/2026

Frequently Asked Questions

What is CVE-2026-27100?

Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.

Is CVE-2026-27100 actively exploited?

Active exploitation of CVE-2026-27100 has not been confirmed. The EPSS score is 0.2%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2026-27100?

CVE-2026-27100 has a CVSS v3 base score of 4.3 (MEDIUM severity), with vector string 3.1.

Is CVE-2026-27100 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.