PT-2026-51798 · Jenkins · Jenkins Active Directory Plugin

Published

2026-06-24

Updated

2026-06-24

CVE-2026-57288

CVSS v3.1

3.7

Low

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-90

Related Identifiers

CVE-2026-57288

Affected Products

Jenkins Active Directory Plugin

PT-2026-51798 · Jenkins · Jenkins Active Directory Plugin

CVE-2026-57288

Weakness Enumeration

Related Identifiers

Affected Products

References · 2