CVE-2026-57288 | Jenkins Active Directory Plugin 2.41.1 and earlier does not … | CVSS 3.7 LOW

Description

Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name.

Metadata

CVE ID: CVE-2026-57288
State: PUBLISHED
Assigner: jenkins
Reserved: 2026-06-24 08:41 UTC
Published: 2026-06-24 13:20 UTC
Last updated: 2026-06-24 14:14 UTC
Primary CWE: CWE-90
CWE-90 Improper Neutralization of Special Elements used in a…
Vendor / Product: Jenkins Project / Jenkins Active Directory Plugin
Sources: cve.org · NVD

Severity & Metrics

3.7 LOW CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Jenkins Project	Jenkins Active Directory Plugin	—	0 ≤ 2.41.1

Weakness (CWE)

CWE	Source	Description
CWE-90	adp	CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
3.7	LOW	3.1	adp	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References (1)

Jenkins Security Advisory 2026-06-24 https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3651