CVE-2026-42525: Jenkins Microsoft Entra ID (previously Azure AD) Plugin has an open redirect vulnerability

April 29, 2026 (updated May 6, 2026)

Jenkins Microsoft Entra ID (previously Azure AD) Plugin versions 666.v6060de32f87d and earlier do not restrict the redirect URL after login.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

Microsoft Entra ID (previously Azure AD) Plugin 667.v4c5827a_e74a_0 only redirects to relative (Jenkins) URLs.

References

github.com/advisories/GHSA-jp6g-g3v3-6gvf
github.com/jenkinsci/azure-ad-plugin
nvd.nist.gov/vuln/detail/CVE-2026-42525
www.jenkins.io/security/advisory/2026-04-29/

Code Behaviors & Features

Detect and mitigate CVE-2026-42525 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →