Home Search Books Tags About Github ARTICLE

Jenkins 2.568 - Deserialization and XSS Security Fixes

   |   4 minute read   |   Using 692 words

Jenkins weekly release jenkins-2.568 shipped on June 10, 2026 as a security focused update. The headline fix is a high severity deserialization flaw in config.xml handling that could let authenticated users impersonate others or read controller files. Operators on weekly 2.567 or earlier should plan an upgrade before the next maintenance window.

The full release notes and downloads are on the GitHub release page. Jenkins also points to the official changelog for 2.568 and the June 10, 2026 security advisory for CVE details.

Deserialization flaw in config.xml submissions

CVE-2026-53435 (SECURITY-3707) is rated High. In Jenkins 2.567 and earlier, an attacker with Overall/Read permission plus a real user account and any permission that allows POST config.xml could trick Jenkins into deserializing attacker chosen types from core or installed plugins.

The advisory lists concrete impact paths. Attackers could impersonate any user and send HTTP requests on their behalf, including Script Console access for arbitrary code execution. They could also read arbitrary files from the controller. The bug sits at the intersection of Stapler request routing and Jenkins custom deserialization filter from JEP-200.

Jenkins 2.568 restricts the types allowed in the affected deserialization path to expected types only. That is the change that should drive upgrade priority for any controller still on 2.567 or below.

Open redirect hardening in login flows

Three related medium severity issues tighten redirect validation after login.

CVE-2026-53436 (SECURITY-3711) covers relative path segments like ./ or ../ in URLs. Validation ran before the servlet container collapsed those segments into a protocol relative URL starting with //, which browsers treat as an external redirect target.

CVE-2026-53437 (SECURITY-3755) covers tab or newline characters slipped between // at the start of a URL, bypassing the safety check.

CVE-2026-53440 (SECURITY-3721) affects the “Delegate to servlet container” security realm. The from parameter was not validated before redirect, which opened a phishing vector to attacker controlled domains.

Version 2.568 strips tab and newline characters before validation, rejects URLs containing // anywhere, and validates the servlet container realm from parameter.

Permission checks and information disclosure

Two medium severity permission gaps are closed in this build.

CVE-2026-53438 (SECURITY-3712) let users with Item/Cancel but without Item/Read cancel queue items they could not view. The advisory notes this was an incomplete follow up to SECURITY-2278 from the June 30, 2021 advisory. Jenkins 2.568 adds the missing Item/Read check on the affected HTTP endpoint.

CVE-2026-53439 (SECURITY-3713) exposed limited user profile data to anyone with Overall/Read. Attackers could read other users configured timezone and enumerate view names inside other users “My Views”. The fix adds permission checks on those endpoints.

Stored XSS and plaintext secrets in config.xml

CVE-2026-53441 (SECURITY-3731) is another High severity item. Since Jenkins 2.483, offline cause descriptions render as HTML. A generic offline cause set through POST config.xml was not escaped, which created stored cross site scripting for users with Agent/Configure permission. This is an incomplete fix for SECURITY-3669 from the February 18, 2026 advisory. Jenkins 2.568 renders offline cause descriptions from the default UI as plain text.

CVE-2026-53442 (SECURITY-3744) is medium severity. On affected versions, POST config.xml submissions were written to disk as submitted once deserialization succeeded, while GET config.xml served those files directly. Plaintext secrets in a POST body could persist on disk and reappear in GET responses for users with Item/Extended Read. Version 2.568 loads the submission first, then serializes the item to disk so secrets are encrypted.

Enforcing Content Security Policy protection on Jenkins 2.539 and newer also mitigates the XSS issue, but upgrading remains the correct fix.

Upgrade notes

This is not a prerelease. The weekly line should move to 2.568. The parallel LTS fix is 2.555.3 for controllers on the LTS track up to 2.555.2.

Affected weekly builds run through 2.567 inclusive. If you run weekly and have not patched since the June 10 advisory, assume the controller is exposed to at least the deserialization and XSS issues above.

The June 10, 2026 security advisory lists all seven CVE entries with CVSS scores and reporter credits. Several findings came through the Jenkins bug bounty program sponsored by the European Commission.

Where to get it



Page link: /posts/jenkins-2-568-security-fixes-release/
denis256 at denis256.dev