CVE-2026-57302 | Jenkins FitNesse Plugin 1.36 and earlier stores passwords un…

Description

Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Metadata

CVE ID: CVE-2026-57302
State: PUBLISHED
Assigner: jenkins
Reserved: 2026-06-24 08:41 UTC
Published: 2026-06-24 13:20 UTC
Last updated: 2026-06-24 13:20 UTC
Vendor / Product: Jenkins Project / Jenkins FitNesse Plugin
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (1)

Vendor	Product	Platform	Versions
Jenkins Project	Jenkins FitNesse Plugin	—	1.36

References (1)

Jenkins Security Advisory 2026-06-24 https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3555