CVE-2026-57302 PUBLISHED

Assigner: jenkins
Reserved: 24.06.2026 Published: 24.06.2026 Updated: 24.06.2026

Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Product Status

Vendor	Jenkins Project
Product	Jenkins FitNesse Plugin
Versions	Default: unknown Version 1.36 is affected

References

Jenkins Security Advisory 2026-06-24