CVE-2026-42525
Published Apr 29, 2026
·Updated
Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.
Affected Software
2 affected components
Jenkins Microsoft Entra ID Plugin<=666.v6060de32f87d
Jenkins Azure Ad Jenkins<=666.v6060de32f87d
Event History
Apr 29, 2026
CVE Published
via MITRE·01:31 PM
Data Sourced
via MITRE·01:31 PM
Description
Data Sourced
via NVD·02:16 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-42525?
CVE-2026-42525 is rated as a medium severity vulnerability.
2
How do I fix CVE-2026-42525?
To fix CVE-2026-42525, upgrade to Jenkins Microsoft Entra ID Plugin version 667 or later.
3
What type of attacks does CVE-2026-42525 allow?
CVE-2026-42525 allows attackers to perform phishing attacks by exploiting unrestricted redirect URLs after login.
4
Which versions of Jenkins Microsoft Entra ID Plugin are affected by CVE-2026-42525?
Jenkins Microsoft Entra ID Plugin versions 666.v6060de32f87d and earlier are affected by CVE-2026-42525.
5
Is user data at risk due to CVE-2026-42525?
Yes, CVE-2026-42525 poses a risk to user data by enabling potential phishing attempts.