CVE-2026-57294
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
A missing permission check in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.
Risk Assessment
The risk involves potential theft of sensitive AWS credentials by an attacker with only basic read permissions, which could lead to unauthorized access to AWS cloud resources.
Recommendation
Immediately update the EC2 Fleet plugin to the latest available version that includes a fix for the missing permission check.
Original NVD description (English source)
A missing permission check in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.

