Jenkins · Matrix Authorization Strategy Plugin · CVE-2026-42521
**Name of the Vulnerable Software and Affected Versions**
Jenkins Matrix Authorization Strategy Plugin versions 2.0-beta-1 through 3.2.9
**Description**
The plugin invokes parameterless constructors of classes specified in the configuration during the deserialization of inheritance strategies. Because it does not restrict the classes that can be instantiated, users with Item/Configure permission can instantiate arbitrary types. This may result in information disclosure or other impacts depending on the classes available on the classpath.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.