CVE-2026-57295
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
A CSRF vulnerability in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.
Risk Assessment
The risk involves potential theft of AWS credentials by an attacker, which could lead to unauthorized access to the organization's cloud resources and potentially serious data security breaches.
Recommendation
It is recommended to immediately update the EC2 Fleet plugin to the latest available version that fixes this vulnerability, and to implement CSRF protection mechanisms such as synchronization tokens.
Original NVD description (English source)
A cross-site request forgery (CSRF) vulnerability in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.

