CVE-2026-27100
MEDIUMorg.jenkins-ci.main/jenkins-core: Jenkins: Information disclosure via unauthorized access to build parameters
CVSS v3
4.3
MEDIUM
EPSS Score
0.2%
exploit probability
CISA KEV
No
known exploited
Exploitation
none
SSVC status
Description
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 2/18/2026
- Last Modified
- 2/20/2026
Frequently Asked Questions
What is CVE-2026-27100?
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to, allowing attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of builds, and if a specified build exists, its display name.
Is CVE-2026-27100 actively exploited?
Active exploitation of CVE-2026-27100 has not been confirmed. The EPSS score is 0.2%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2026-27100?
CVE-2026-27100 has a CVSS v3 base score of 4.3 (MEDIUM severity), with vector string 3.1.
Is CVE-2026-27100 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.