Missing Permission Check in Jenkins Allows Unauthorized Access to Encrypted Passwords
CVE-2025-67636

4.3MEDIUM

Key Information:

Vendor

Jenkins
Status
Jenkins
Vendor
CVE Published:
10 December 2025

What is CVE-2025-67636?

A missing permission check in Jenkins versions 2.540 and earlier, including LTS version 2.528.2 and earlier, permits users with merely View/Read permissions to access sensitive information stored as encrypted passwords within views. This vulnerability can lead to unauthorized exposure of critical credentials, putting various integrations and configurations at risk of exploitation.

Affected Version(s)

Jenkins 2.541

Jenkins 2.541

Jenkins 2.528.3 < 2.528.*

References

https://www.jenkins.io/security/advisory/2025-12-10/#SECU...
vendor-advisory

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-67636 : Missing Permission Check in Jenkins Allows Unauthorized Access to Encrypted Passwords