Security context
Medium· 5.3GHSA-67v4-38h7-9jjp CVE-2025-59474CWE-862Published Sep 17, 2025

Jenkins has a missing permission check, allowing users to obtain agent names

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0 → fixed in 2.516.32.517 → fixed in 2.528

Details

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission. This allows attackers without Overall/Read permission to list agent names through its sidepanel executors widget. Jenkins 2.528, LTS 2.516.3 removes the sidepanel from the affected view.

The fix

No fix commit could be resolved for this advisory (it may reference an issue tracker or a non-GitHub patch). See the references below.

References