CVE-2026-42519: Jenkins Script Security Plugin: Missing permission checks allow enumeration of pending and approved classpaths

April 29, 2026 (updated May 6, 2026)

Jenkins Script Security Plugin versions 1399.ve6a_66547f6e1 and earlier do not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths.

Script Security Plugin 1402.v94c9ce464861 requires Overall/Administer permission to enumerate pending and approved Script Security classpaths.

References

github.com/advisories/GHSA-p334-gfhq-c7w6
github.com/jenkinsci/script-security-plugin
nvd.nist.gov/vuln/detail/CVE-2026-42519
www.jenkins.io/security/advisory/2026-04-29/

Code Behaviors & Features

Detect and mitigate CVE-2026-42519 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →