CVE-2025-67636: Jenkins is missing a permission check on password fields

December 10, 2025

A missing permission check in Jenkins 2.540 and earlier, LTS 2.528.2 and earlier allows attackers with View/Read permission to view encrypted password values in views.

References

github.com/advisories/GHSA-p3f5-98cv-562j
github.com/jenkinsci/jenkins
github.com/jenkinsci/jenkins/commit/3ee7380c5e167fab865f58b52a81ef01c24b9eb2
nvd.nist.gov/vuln/detail/CVE-2025-67636
www.jenkins.io/security/advisory/2025-12-10/

Code Behaviors & Features

Detect and mitigate CVE-2025-67636 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →