Missing Permission Check in Jenkins Allows Unauthorized Access to Encrypted Passwords
CVE-2025-67636

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins
Vendor: CVE Published:; 10 December 2025

What is CVE-2025-67636?

A missing permission check in Jenkins versions 2.540 and earlier, including LTS version 2.528.2 and earlier, permits users with merely View/Read permissions to access sensitive information stored as encrypted passwords within views. This vulnerability can lead to unauthorized exposure of critical credentials, putting various integrations and configurations at risk of exploitation.

Affected Version(s)

Jenkins 2.541

Jenkins 2.528.3 < 2.528.*

References

https://www.jenkins.io/security/advisory/2025-12-10/#SECU...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 10, 2025
Vulnerability Reserved
Dec 9, 2025

JSON