What is CVE-2026-27099?
Jenkins 2.483 through 2.550 (both inclusive), LTS 2.492.1 through 2.541.1 (both inclusive) does not escape the user-provided description of the “Mark temporarily offline” offline cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure or Agent/Disconnect permission.
Why is this important?
A critical, high-severity (CVSS score: 8.0) stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-27099) has been discovered within the Jenkins automation server. This vulnerability poses a significant risk due to the potential for malicious script injection into the “Mark temporarily offline” node description. Successful exploitation requires Agent/Configure permissions.
Compromised descriptions: when viewed by other Jenkins users, including administrators, trigger script execution, potentially leading to severe consequences. These include, but are not limited to, session hijacking, credential theft, and unauthorized modification of Jenkins pipelines.
Mitigation: Immediate remediation is strongly advised. Users are urged to review the official Jenkins security advisories and implement the recommended patching procedures to mitigate this vulnerability.
To the LAB
Please remember: Organizations may NOT allow you to test for this vulnerability with legal documents, however, we can build our research skill set as a Penetration Tester. You must be deliberate to gain insight into business practices, services, applications, etc. by its organizations’ product usage and test against those use cases. Resulting in the development of new knowledge/concepts, tools, and techniques to improve our testing strategies. Let’s jump in, but please read the warning below before we do so.
Public Service Announcement
THIS IS ONLY FOR EDUCATIONAL PURPOSES. This test was performed in a LAB environment and SHOULD NOT be performed in PRODUCTION
Lab Setup
We decided to use VirtualBox but the configurations are almost the same with minor tweaks if you use VMWare Workstation for the virtual machine (VM) lab instance of Ubuntu Server 24.04.1.
Assumptions
- Must be running Jenkins 2.483 through 2.550. In this Lab will be running Jenkins 2.528.2.
- Root access to perform Docker and Jenkins 2.528.2 installation.
- Jenkins initial admin password for complete installation of web application.
- Valid user credentials for Jenkins web application.
For the GUI interface for the Ubuntu Server
Run the following command in the terminal: sudo apt-get install ubuntu-desktop -y
Now to what we are here for – Install Jenkins 2.528.2 Container via Docker
Navigating to the URL for Jenkins web application (i.e. http://localhost:8080). Next copy/paste Jenkins initial Admin Password in the Unlock Jenkins to complete the web application setup.
Once completed, the Jenkins web application is ready to be use. At a glance, we can see that our version of Jenkins is 2.582.2. Based on the CVE-2026-27099, we should be able to execute XSS injection.
Our starting point based on the details of CVE-2026-27099, the input validation issue lies within the “Agents” and putting them into a “Offline” state. We click on “Build Executor Status” to see a list of agents. Selecting the Agent provides us with the attack surface.
Attack Surface
Jenkins web interface, specifically the “Mark temporarily offline” description field and Run Parameter submission functionality.
Using sample sytnax for XSS from PortSwigger Research cheatsheet. We are able to enter/execute XSS in the Jenkins web application that is persistence to ALL of its users.
And that’s a wrap!
We’ve successfully built out a testing environment and walked through the specifics of CVE-2026-27099. It’s critically important to update your Jenkins instance to version 2.528.2 or later as soon as possible, given the potential impact this vulnerability has on all users. This is just the starting point – there’s a wealth exploration available for those who want to dig deeper and happy hacking!
