CVE-2026-42521

Q: What is the severity of CVE-2026-42521?

The severity of CVE-2026-42521 is considered high due to potential remote code execution risks.

Q: How do I fix CVE-2026-42521?

To fix CVE-2026-42521, upgrade the Jenkins Matrix Authorization Strategy Plugin to version 3.2.10 or later.

Q: What versions are affected by CVE-2026-42521?

CVE-2026-42521 affects Jenkins Matrix Authorization Strategy Plugin versions from 2.0-beta-1 to 3.2.9.

Q: What kind of attacks can exploit CVE-2026-42521?

CVE-2026-42521 can potentially allow attackers to execute arbitrary code via deserialization flaws.

Q: Is user interaction required to exploit CVE-2026-42521?

No user interaction is required to exploit CVE-2026-42521 as it can be triggered by manipulating deserialization processes.

Published Apr 29, 2026

Updated

Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath.

Affected Software

5 affected components

Jenkins Matrix Authorization Strategy Plugin>=2.0-beta-1<=3.2.9

Jenkins Matrix Authorization Strategy Jenkins>=2.1<3.2.10

Jenkins Matrix Authorization Strategy Jenkins=2.0-beta1

Jenkins Matrix Authorization Strategy Jenkins=2.0-beta2

Jenkins Matrix Authorization Strategy Jenkins=2.0-beta3

Event History

Apr 29, 2026

CVE Published

via MITRE·01:31 PM

Data Sourced

via MITRE·01:31 PM

Description

Data Sourced

via NVD·02:16 PM

DescriptionSeverityWeaknessAffected Software

Frequently Asked Questions

What is the severity of CVE-2026-42521?

The severity of CVE-2026-42521 is considered high due to potential remote code execution risks.

How do I fix CVE-2026-42521?

To fix CVE-2026-42521, upgrade the Jenkins Matrix Authorization Strategy Plugin to version 3.2.10 or later.

What versions are affected by CVE-2026-42521?

CVE-2026-42521 affects Jenkins Matrix Authorization Strategy Plugin versions from 2.0-beta-1 to 3.2.9.

What kind of attacks can exploit CVE-2026-42521?

CVE-2026-42521 can potentially allow attackers to execute arbitrary code via deserialization flaws.

Is user interaction required to exploit CVE-2026-42521?

No user interaction is required to exploit CVE-2026-42521 as it can be triggered by manipulating deserialization processes.

CVSS Score

6.5Medium

Medium Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Security Metrics

Risk Score40

Severitymedium(6.5)

CWE

502

Timeline

PublishedApr 29, 2026

Updated

References

jenkins.io/security/advisory/2026-04-...

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.