OIDC Issuer Allowlist Bypass in Eclipse Jenkins Product
CVE-2026-14336
8.2HIGH
What is CVE-2026-14336?
The Eclipse Jenkins product features an OIDC issuer allowlist that uses a simplistic string-prefix check for validating the issuer. This method is vulnerable to exploits where an attacker can create a malicious issuer URL leveraging tricks such as inserting userinfo or adding suffixes. Consequently, an unauthenticated user can manipulate the server to send requests to an arbitrary host controlled by the attacker, leading to unauthorized access and potential compromise of system integrity.
Affected Version(s)
Eclipse CSI - PIA 0 <= 0.3.0
