CVE-2026-42520: Jenkins Credentials Binding Plugin has a path traversal vulnerability

April 29, 2026 (updated May 6, 2026)

Jenkins Credentials Binding Plugin versions 719.v80e905ef14eb_ and earlier do not sanitize file names for file and zip file credentials.

This allows attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem. If Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node, this can lead to remote code execution.

Credentials Binding Plugin 720.v3f6decef43ea_ sanitizes the file name provided for file and zip file credentials, preventing path traversal.

References

github.com/advisories/GHSA-p2rf-wpxj-mx2g
github.com/jenkinsci/credentials-binding-plugin
nvd.nist.gov/vuln/detail/CVE-2026-42520
www.jenkins.io/security/advisory/2026-04-29/

Code Behaviors & Features

Detect and mitigate CVE-2026-42520 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →