Jenkins GitHub Integration Plugin, CSRF, CVE-2026-48925 (Medium) -DC-May2026-15

Listen to this Post

Intro

CVE-2026-48925 is a cross-site request forgery (CSRF) vulnerability present in the Jenkins GitHub Integration Plugin version 0.7.3 and earlier. The flaw stems from the plugin’s failure to require POST requests for a specific HTTP endpoint that triggers builds for pull requests. By not enforcing a proper request method or employing CSRF tokens, the plugin allows an attacker to construct a malicious HTML page or email that, when visited by an authenticated Jenkins user (such as a project maintainer), causes the user’s browser to send a valid, forge request to the Jenkins server. This request tricks Jenkins into triggering a build for an arbitrary pull request without the user’s knowledge or consent. The attack is successful because Jenkins relies on the user’s existing session cookie; the malicious script inherits that session and can therefore invoke sensitive actions on behalf of the user.
The vulnerability is particularly dangerous in shared environments where pull requests from unknown contributors are common. An attacker could create a pull request containing malicious code and then use the CSRF flaw to trick a project owner into accidentally building and possibly merging the code. Because the endpoint lacks CSRF protection, no explicit token is validated, and the request method is not restricted. This enables remote exploitation via social engineering, with no need for prior authentication or advanced privileges from the attacker.
The CVSS 3.1 base score for this vulnerability is 4.3 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The attack vector is network-based, the attack complexity is low, and no privileges are required. However, user interaction (the victim must click a link) is necessary, and the scope remains unchanged. The impact is limited to low integrity (the ability to trigger builds) with no confidentiality or availability impact. The plugin maintainers addressed the issue in version 0.7.4 by requiring POST requests for the vulnerable endpoint, effectively breaking the CSRF attack vector.

DailyCVE Form

Platform: Jenkins CI server
Version: 0.7.3 earlier
Vulnerability : cross-site request forgery
Severity: 4.3 Medium
date: 2026-05-27

Prediction: 2026-05-27 fixed

What Undercode Say

Analytics

  • CVSS 3.1: 4.3 (Medium)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Impact: Low Integrity Only
  • CWE: CWE-352 (Cross-Site Request Forgery)
    Verify plugin version
    curl -s -u "$JENKINS_USER:$JENKINS_TOKEN" \
    "http://jenkins-server/pluginManager/api/json?depth=1" | jq '.plugins[] | select(.shortName=="github-pullrequest") | .version'
    Check for vulnerable endpoint (requires valid session cookie)
    curl -i -X GET \
    -b "JSESSIONID=$COOKIE" \
    "http://jenkins-server/job/project-name/github-pullrequest/build"
    Remediation: update to secure version
    jenkins-cli install-plugin github-pullrequest 0.7.4 -deploy
    

Exploit

An attacker crafts a HTML page that automatically submits a GET request to the vulnerable endpoint:

<html>
<body onload="document.forms[bash].submit()">

<form action="http://jenkins.local/job/example/github-pullrequest/build" method="GET">
</form>

</body>
</html>

When a logged-in Jenkins user visits this page, their browser sends the request with their session cookie, triggering an unauthorized build for the targeted pull request.

Protection

  • Update to GitHub Integration Plugin version 0.7.4 or later.
  • Require POST requests for all HTTP endpoints that change state (already done in 0.7.4).
  • Enable CSRF tokens on any custom endpoints that accept GET requests for state changes.
  • Use Referrer validation or double-submit cookies as additional defense layers.

Impact

  • Unauthorized build triggers for pull requests, potentially leading to:
  • Execution of untested or malicious code in the CI environment.
  • Waste of build resources and disruption of normal pipelines.
  • Increased risk of supply chain attacks if the resulting build artifacts are used in production.
  • Privilege escalation in combination with other vulnerabilities (e.g., code injection or credential exposure).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top