OIDC Issuer Allowlist Bypass in Eclipse Jenkins Product
CVE-2026-14336

8.2HIGH

Key Information:

Vendor
CVE Published:
2 July 2026

What is CVE-2026-14336?

The Eclipse Jenkins product features an OIDC issuer allowlist that uses a simplistic string-prefix check for validating the issuer. This method is vulnerable to exploits where an attacker can create a malicious issuer URL leveraging tricks such as inserting userinfo or adding suffixes. Consequently, an unauthenticated user can manipulate the server to send requests to an arbitrary host controlled by the attacker, leading to unauthorized access and potential compromise of system integrity.

Affected Version(s)

Eclipse CSI - PIA 0 <= 0.3.0

References

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.