CVE Catalog

CVE-2026-57288

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile — higher than 13% of all known CVEs

Summary

Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name.

Risk Assessment

The risk includes the ability to enumerate Active Directory accounts and gain unauthorized access to Jenkins by authenticating as any user with a known password, potentially leading to privilege escalation and data confidentiality breaches.

Recommendation

Immediately update the Active Directory plugin to a version later than 2.41.1. As a temporary workaround, disable ADSI authentication or implement additional username validation mechanisms.

Original NVD description (English source)

Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS