Jenkins LDAP Plugin deserializes data from LDAP referrals without validation
Moderate severity
GitHub Reviewed
Published
May 27, 2026
to the GitHub Advisory Database
•
Updated Jul 1, 2026
Package
Affected versions
<= 807.v7d7de30930cf
Patched versions
807.809.vd3a
Description
Published by the National Vulnerability Database
May 27, 2026
Published to the GitHub Advisory Database
May 27, 2026
Reviewed
Jul 1, 2026
Last updated
Jul 1, 2026
Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals from the configured LDAP server. These can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution (RCE) on the Jenkins controller if deserialization "gadgets" are available on the classpath.
This allows attackers able to control the configured LDAP server, or able to perform a machine-in-the-middle attack, to execute code on the Jenkins controller.
LDAP Plugin 807.809.vd3a_4e5e4ec98 no longer follows LDAP referrals.
References