CVE Catalog

CVE-2026-57294

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile — higher than 6% of all known CVEs

Summary

A missing permission check in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.

Risk Assessment

The risk involves potential theft of sensitive AWS credentials by an attacker with only basic read permissions, which could lead to unauthorized access to AWS cloud resources.

Recommendation

Immediately update the EC2 Fleet plugin to the latest available version that includes a fix for the missing permission check.

Original NVD description (English source)

A missing permission check in Jenkins EC2 Fleet Plugin 4.2.3.539.v8fedff2a_81c3 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing AWS credentials stored in Jenkins.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS