Ghostwire
Home / Vulnerabilities / CVE-2026-42521

CVE-2026-42521: Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless...

MEDIUM CVSS 5.5

Published: April 29, 2026 | Last Modified: April 29, 2026

Description

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (2 articles)

Tenable CVEs
CVE-2026-42521
 CVE Feed
CVE-2026-42521 - Jenkins Matrix Authorization Strategy Plugin Deserialization RCE

References