Jenkins Active Directory Plugin deserializes data from LDAP referrals without validation
Moderate severity
GitHub Reviewed
Published
May 27, 2026
to the GitHub Advisory Database
•
Updated Jul 1, 2026
Package
Affected versions
< 2.41.1
Patched versions
2.41.1
Description
Published by the National Vulnerability Database
May 27, 2026
Published to the GitHub Advisory Database
May 27, 2026
Reviewed
Jul 1, 2026
Last updated
Jul 1, 2026
Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals from the configured Active Directory server by default. These can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution (RCE) on the Jenkins controller if deserialization "gadgets" are available on the classpath.
This allows attackers able to control the configured Active Directory server, or able to perform a machine-in-the-middle attack, to execute code on the Jenkins controller.
Active Directory Plugin 2.41.1 no longer follows LDAP referrals by default.
Administrators unable to update to a fixed version can start Jenkins with the Java system property
hudson.plugins.active_directory.referral.ignoreset totrueto mitigate the vulnerability.Administrators of Jenkins controllers requiring following LDAP referrals can set the Java system property
hudson.plugins.active_directory.referral.ignoretofalseto restore the previous behavior.References