Description
Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in multiple MCP tools, allowing attackers to trigger builds and obtain information about job and cloud configuration they should not be able to access.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- Attack Vector
- network
- Complexity
- low
- Privileges
- low
- User Action
- none
- Scope
- unchanged
- Confidentiality
- low
- Integrity
- low
- Availability
- none
- Weaknesses
- CWE-862
Metadata
- Primary Vendor
- JENKINS
- Published
- 10/29/2025
- Last Modified
- 12/22/2025
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
jenkins : mcp_server
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.