CVE-2025-67638 PUBLISHED

Assigner: jenkins
Reserved: 09.12.2025 Published: 10.12.2025 Updated: 10.12.2025

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not mask build authorization tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Product Status

Vendor	Jenkins Project
Product	Jenkins
Versions	Default: affected unaffected from 2.541 to * (excl.) unaffected from 2.528.3 to 2.528.* (excl.)

References

Jenkins Security Advisory 2025-12-10