Jenkins GitHub Plugin CVE-2026-42523 — CVSS 9.0 Stored XSS Enables Pipeline Hijacking and Secret Extraction

A stored cross-site scripting vulnerability in the Jenkins GitHub Plugin — installed on an estimated 180,000+ Jenkins instances globally — allows attackers with job creation privileges to inject malicious JavaScript that executes in the browser sessions of administrators who subsequently view the affected pipeline job. The CVSS 9.0 severity reflects the consequences of successful exploitation: in a CI/CD environment, XSS in a Jenkins administrator’s session provides access to build secrets, pipeline credentials, and the ability to modify pipeline definitions to inject malicious build steps.

The Vulnerability

CVE-2026-42523 exists in the way the Jenkins GitHub Plugin 1.46.0 and earlier constructs JavaScript for its job URL display component. The plugin renders the current job’s GitHub repository URL in a JavaScript context on the job configuration and build result pages. The URL value from the job configuration is inserted into the JavaScript template without escaping HTML metacharacters or sanitising JavaScript-significant characters.

An attacker who can create or modify a Jenkins job — a privilege granted by default to Jenkins users with the Item/Configure permission — can set the GitHub repository URL field to a value containing a JavaScript payload. When any Jenkins user who has elevated permissions (typically an administrator or operator) views that job’s page, the injected JavaScript executes in their browser with the Jenkins session cookie and CSRF token in scope.

The attack does not require any interaction from the attacker after job creation — it is persistent (stored) and fires automatically when any sufficiently privileged user views the job.

Exploitation Consequences in CI/CD Environments

In the Jenkins threat model, administrator session access via XSS is particularly impactful:

Build secret extraction: Jenkins stores pipeline credentials (API keys, deployment certificates, cloud provider secrets, container registry credentials) in its credential store. An administrator session can retrieve these via the Jenkins API — a technique that has been public since the “Jenkins credential dumper” tooling was published in 2022.

Pipeline definition modification: An attacker with administrator access can modify Jenkinsfile content or inline pipeline definitions to add malicious build steps — inserting commands that exfiltrate source code, inject backdoors into build artifacts, or manipulate deployment targets. Because pipelines typically have access to production deployment credentials, a modified pipeline can reach beyond the build environment.

Lateral movement via build agents: Jenkins build agents run pipeline steps with access to the source code, build environment, and deployment credentials scoped to each job. An administrator who can trigger builds can use agent access as a pivot point into production infrastructure.

Affected Versions

The vulnerability affects Jenkins GitHub Plugin 1.46.0 and all earlier versions. The fix is available in GitHub Plugin 1.46.1, released April 29, 2026, as part of the Jenkins security advisory cycle.

The Jenkins GitHub Plugin is distinct from the “GitHub Branch Source Plugin” and “GitHub Pull Request Builder Plugin” — the fix applies specifically to the github plugin (artifact ID: github).

Recommended Actions

• Update Jenkins GitHub Plugin to 1.46.1 or later — navigate to Manage Jenkins → Plugin Manager → Updates and apply the update; a Jenkins restart may be required depending on your configuration.
• Audit job configurations for suspicious GitHub repository URLs — review job configurations modified in the past 30 days, particularly any jobs where the GitHub URL field contains unexpected characters or script-like content.
• Review Jenkins permission model — limit Item/Configure permission to the minimum set of users who require it; developers who only need to trigger builds should not have job configuration rights.
• Enable Jenkins Content Security Policy hardening — set hudson.model.DirectoryBrowserSupport.CSP to a restrictive policy to limit the impact of any XSS; while this does not fix the underlying vulnerability, it reduces the practical exploitation surface for XSS in many Jenkins configurations.
• Rotate Jenkins credentials store entries — if you cannot confirm that no untrusted users had Item/Configure access in your environment, rotate the credentials stored in the Jenkins credential store as a precaution.