CVE-2026-42522 PUBLISHED

Assigner: jenkins
Reserved: 28.04.2026 Published: 29.04.2026 Updated: 29.04.2026

A missing permission check in Jenkins GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials.

Product Status

Vendor	Jenkins Project
Product	Jenkins GitHub Branch Source Plugin
Versions	Default: unaffected affected from 0 to 1967.vdea_d580c1a_b_a_ (incl.)

References

Jenkins Security Advisory 2026-04-29